System infected with "Vista Antivirus 2010" malware

Yaztrak · 03-08-2010, 10:20 AM

A few days ago, the windows for "Vista Antivirus 2010" started popping up on my screen, and in my sleep deprived state, I had the genius idea of doing a system restore before anything else. No idea what lasting damage may have been done by it, but I suppose that'll show up in the logs.

At any rate, my machine's still mostly usable, just much slower, and with annoying pop-ups every time I open an application, which opens anywhere between one and twenty "av.exe" processes, usually all shutting down after I end one. I'm not the only one using this computer, so I couldn't tell you everything that's gone on in it, but I do know that until I uninstalled them for this, it had Bittorrent and Daemon Tools Lite.

I'm running Vista 32-bit on an HP machine. It wasn't shipped with an installation disc. All I actually have is a recovery disc I downloaded from Neosmart, that seems to work but I have no idea how to actually use it. Not sure what else there is to say, so heeeeeeeere's a DDS report! I noticed at the top it says some Norton features were enabled. I've tried disabling every feature and it invariably says this after scanning. Is this a problem? If it is, I'd guess it applies to the other logs aw well, but I don't know how to fix it short of uninstalling Norton.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:51:35.94 on Sun 03/07/2010
Internet Explorer: 7.0.6000.16890 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.414 [GMT -8:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Owner\AppData\Local\av.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Vista & XP Virtual Desktops\Virtual Desktops.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Users\Owner\AppData\Local\Apps\2.0\4E1QN99N.MBN\59A2O8JP.HO0\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.5.0.127\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Ask Toolbar BHO: {f4d76f01-7896-458a-890f-e1f05c46069f} - c:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} - c:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\\programs\usbtip\USBTip.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\owner\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\vista&~1.lnk - c:\users\owner\appdata\roaming\microsoft\installer\{f4735c64-9a74-4e48-894b-1ca5d83b99c8}\MainIcon.ico
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish media detector\SnapfishMediaDetector.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\lq42bxut.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\lq42bxut.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-30 130936]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\symds.sys [2010-1-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\symefa.sys [2010-1-11 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-1-11 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100224.002\IDSvix86.sys [2010-2-25 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\ironx86.sys [2010-1-11 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1105000.07f\symtdiv.sys [2010-1-11 340016]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-1-11 126392]
S2 gupdate1ca6fdc6d6e2fcf;Google Update Service (gupdate1ca6fdc6d6e2fcf);c:\program files\google\update\GoogleUpdate.exe [2009-11-27 133104]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-9 102448]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-30 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-30 1097096]

=============== Created Last 30 ================

2010-03-05 16:09:23 0 d-----w- c:\program files\IObit
2010-03-05 14:42:38 0 d-----w- c:\program files\OGPlanet
2010-03-04 10:44:24 0 d-----w- c:\programdata\Real
2010-03-02 12:58:48 0 d-----w- c:\program files\Vista & XP Virtual Desktops
2010-02-18 12:29:29 0 d-----w- C:\Fraps
2010-02-14 06:37:16 0 d-----w- c:\users\owner\Tracing
2010-02-14 06:35:06 0 d-----w- c:\program files\Microsoft
2010-02-14 06:33:12 0 d-----w- c:\program files\Windows Live SkyDrive
2010-02-14 06:29:36 0 d-----w- c:\program files\common files\Windows Live
2010-02-11 10:42:56 86016 ----a-w- c:\windows\system32\frapsvid.dll

==================== Find3M ====================

2010-01-11 07:17:47 80634 ----a-w- c:\windows\War3Unin.dat
2010-01-10 04:19:34 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-30 01:53:32 320 ----a-w- c:\users\owner\appdata\roaming\wklnhst.dat
2009-12-09 22:35:11 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-09 22:35:10 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-12-09 22:35:10 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-08 12:43:49 69 ----a-w- c:\users\owner\jagex_runescape_preferences2.dat
2009-12-08 11:21:18 39 ----a-w- c:\users\owner\jagex_runescape_preferences.dat
2008-12-12 11:22:37 174 --sha-w- c:\program files\desktop.ini
2008-06-11 10:17:16 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2002-07-27 02:02:06 153088 ----a-w- c:\program files\UNWISE.EXE

============= FINISH: 10:54:37.29 ===============

On a possibly unrelated note, in another sleep-drunken fit, I plugged my video iPod Classic into the same machine when I was less than 10 yards from a clean one, and it's since been behaving strangely. If it's unplugged it just says "safe to disconnect", if plugged in it just says "charging, please wait", with an unusual black/white background that looks more like a Mac screen from the 80's than any iPod I've ever seen. It seems possible it's just an energy saving thing and it just got stuck that way somehow (no amount of charging has made it leave that screen, and it refuses to turn off/reset) but since it happened at the same time, I figure I may as well ask around.

Thanks in advance, any help with either problem would be greatly appreciated!

AdvancedSetup · 03-08-2010, 02:12 PM

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

AdvancedSetup · 03-08-2010, 03:22 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please read the following article on how to disable Norton AV and Firewall and temporarily disable it before running Combofix.
Enabling or disabling Norton Internet Security or Norton Personal Firewall
Make sure you're using Run as administrator if needed.

---------------------------------------------------------------------------------------------

Download ComboFix from below:

Combofix download

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Right click on combofix.exe & and choose Run as administrator and follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it will produce a log for you. Post that log in your next reply. You can also locate this log here c:\combofix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

Yaztrak · 03-08-2010, 06:47 PM

I've already hit a hitch trying to deactivate Norton again. I kind of suspect that link was for a different version of Norton. In mine, there's two links relating to "logins", the first is for "Identity Safe", which I assume is unrelated, the other opens a web page to log-in, but now that I think about it, I'm fairly certain I've never made an account with Norton. Furthermore, unless you can only see the options after logging in, my version of Norton has no broad "Status and Settings" section.

If I can get the things in the DDS report that say "enabled" to switch to "disabled", is that a solution for the Combo Fix requirement? It seems like there should be a manual way to disable it.

Barring that, I don't think I'd mind uninstalling and replacing it altogether. I've never been a huge fan of Norton.

AdvancedSetup · 03-08-2010, 07:25 PM

You can get help on disabling your protection programs here
Otherwise if that does not work then you can remove Norton and install Avira AntiVir free or this one Avast free

If you have trouble removing Symantec/Norton AV please try the following tool: Norton Removal Tool

Yaztrak · 03-09-2010, 09:06 AM

I'm not sure if this matters, and I'm not sure why, (since, unless ComboFix did something more than scan, the files and registry entries should still be there), but for the moment, the obvious symptoms of the infection seem to have vanished, and my computer's running nearly as fast as it used to, and I got Norton to work for the scan... I think.

At any rate, thanks for your help o far!

ComboFix 10-03-08.01 - Owner 03/08/2010 23:09:31.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1285 [GMT -8:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LHT3B39.tmp
C:\LHTA3CF.tmp
C:\LHTBE45.tmp
C:\LHTC46C.tmp
c:\program files\temp
c:\programdata\sysReserve.ini
c:\users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Softonic-Eng7_EN.exe
c:\users\Owner\AppData\Roaming\Desktopicon
c:\users\Owner\AppData\Roaming\Desktopicon\config.ini
c:\users\Owner\AppData\Roaming\Desktopicon\eBayShortcuts.exe
c:\windows\system32\drivers\vsfocecoicqfxt.sys
c:\windows\system32\STEC3.sys
c:\windows\system32\vsfoceismkquuu.dat
c:\windows\system32\vsfocexanjensm.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_STEC3
-------\Legacy_vsfocefjjtxgtf
-------\Service_STEC3
-------\Service_vsfocefjjtxgtf

((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-09 07:33 . 2010-03-09 15:31 -------- d-----w- c:\users\Owner\AppData\Local\temp
2010-03-09 07:33 . 2010-03-09 07:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-09 07:01 . 2010-03-09 07:00 320000 ----a-w- c:\windows\system32\CF18335.exe
2010-03-09 06:10 . 2010-03-09 06:09 320000 ----a-w- c:\windows\system32\CF8388.exe
2010-03-07 19:37 . 2010-03-07 19:37 93056 ----a-w- C:\kwroapow.sys
2010-03-05 16:09 . 2010-03-05 16:09 -------- d-----w- c:\program files\IObit
2010-03-05 14:42 . 2010-03-05 14:42 -------- d-----w- c:\program files\OGPlanet
2010-03-04 11:33 . 2010-03-04 11:33 -------- d-----w- c:\users\Owner\AppData\Local\Z-Systems
2010-03-02 12:58 . 2010-03-07 15:53 -------- d-----w- c:\program files\Vista & XP Virtual Desktops
2010-02-18 12:29 . 2010-03-06 10:53 -------- d-----w- C:\Fraps
2010-02-14 06:37 . 2010-02-18 02:33 -------- d-----w- c:\users\Owner\Tracing
2010-02-14 06:35 . 2010-02-14 06:35 -------- d-----w- c:\program files\Microsoft
2010-02-14 06:33 . 2010-02-14 06:33 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-14 06:32 . 2010-02-14 06:34 -------- d-----w- c:\program files\Windows Live
2010-02-14 06:29 . 2010-02-14 06:29 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-11 10:42 . 2010-02-11 10:42 86016 ----a-w- c:\windows\system32\frapsvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 20:23 . 2007-08-14 07:19 -------- d-----w- c:\program files\Trillian
2010-03-07 17:54 . 2007-08-13 07:31 -------- d-----w- c:\program files\BitTorrent
2010-03-07 17:43 . 2010-01-10 04:21 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-03-07 15:53 . 2010-01-07 06:04 -------- d-----w- c:\programdata\PMB Files
2010-03-07 15:53 . 2009-08-30 13:31 -------- d-----w- c:\program files\Spyware Doctor
2010-03-07 15:53 . 2008-08-31 10:02 -------- d-----w- c:\program files\Winamp
2010-03-07 15:53 . 2007-08-12 18:14 -------- d-----w- c:\program files\Warcraft III
2010-03-07 15:53 . 2009-09-20 11:57 -------- d-----w- c:\program files\Opera
2010-03-07 15:53 . 2009-05-02 23:11 -------- d-----w- c:\program files\Apple Software Update
2010-03-07 15:53 . 2007-09-25 08:04 -------- d-----w- c:\program files\iTunes
2010-03-06 10:54 . 2009-08-25 00:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-06 10:54 . 2007-04-24 00:03 -------- d-----w- c:\program files\Microsoft Works
2010-02-28 14:32 . 2010-02-02 20:15 -------- d-----w- c:\program files\SEGA
2010-02-28 14:24 . 2010-02-02 21:10 -------- d-----w- c:\program files\Phantasy Star Online Blue Burst
2010-02-24 07:05 . 2009-10-11 05:26 -------- d-----w- c:\programdata\NexonUS
2010-02-23 02:40 . 2009-11-12 13:19 -------- d-----w- c:\program files\Bethesda Softworks
2010-02-18 12:24 . 2009-10-05 07:14 -------- d-----w- c:\program files\BSR Screen Recorder 4
2010-02-18 12:16 . 2009-10-27 04:27 -------- d-----w- c:\program files\CamStudio
2010-02-07 16:57 . 2007-08-13 07:31 -------- d-----w- c:\users\Owner\AppData\Roaming\BitTorrent
2010-02-02 00:53 . 2010-02-02 00:53 -------- d-----w- c:\program files\TrueGames
2010-01-25 19:25 . 2010-01-25 19:25 -------- d-----w- c:\program files\QuickTime Alternative
2010-01-25 19:25 . 2007-08-13 20:11 -------- d-----w- c:\programdata\Apple Computer
2010-01-20 04:56 . 2007-09-03 17:47 7944 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2010-01-20 03:50 . 2010-01-20 03:50 552 ----a-w- c:\users\Owner\AppData\Local\d3d8caps.dat
2010-01-19 21:28 . 2009-11-20 23:48 -------- d-----w- c:\program files\MWScriptExtender
2010-01-18 09:26 . 2010-01-18 09:25 -------- d-----w- c:\users\Owner\AppData\Roaming\Download Manager
2010-01-15 23:59 . 2007-08-13 20:14 -------- d-----w- c:\users\Owner\AppData\Roaming\Apple Computer
2010-01-14 00:55 . 2010-01-14 00:52 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-14 00:53 . 2010-01-14 00:53 -------- d-----w- c:\program files\iPod
2010-01-14 00:53 . 2007-08-13 20:09 -------- d-----w- c:\program files\Common Files\Apple
2010-01-11 07:17 . 2007-08-12 18:20 80634 ----a-w- c:\windows\War3Unin.dat
2010-01-11 04:50 . 2010-01-10 19:36 -------- d-----w- c:\program files\Age of Wonders Shadow Magic
2010-01-10 20:25 . 2010-01-10 20:16 -------- d-----w- c:\program files\Age of Wonders II
2010-01-10 19:36 . 2010-01-10 04:17 -------- d-----w- c:\users\Owner\AppData\Roaming\DAEMON Tools Lite
2010-01-10 04:19 . 2007-08-31 07:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-10 04:17 . 2010-01-10 04:17 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-01-08 20:26 . 2010-01-08 20:26 -------- d-----w- c:\users\Owner\AppData\Roaming\Tific
2010-01-04 11:21 . 2010-01-04 11:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-30 01:53 . 2007-08-12 23:47 320 ----a-w- c:\users\Owner\AppData\Roaming\wklnhst.dat
2009-12-13 15:55 . 2009-12-13 15:55 666 ----a-w- c:\windows\eReg.dat
2002-07-27 02:02 . 2008-01-02 08:33 153088 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-13 1773568]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-07 2935480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-08-11 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-15 149280]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-23 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2009-12-14 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-3-2 1441792]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-12-18 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2090761685-823128311-3762642675-1000]
"EnableNotificationsRef"=dword:00000002

R2 gupdate1ca6fdc6d6e2fcf;Google Update Service (gupdate1ca6fdc6d6e2fcf);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 133104]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-17 2800669]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 XDva143;XDva143;c:\windows\system32\XDva143.sys [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-10 691696]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1105000.07F\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1105000.07F\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1105000.07F\ccHPx86.sys [2009-12-09 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100305.002\IDSvix86.sys [2009-10-28 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\System32\Drivers\NIS\1105000.07F\Ironx86.SYS [2009-11-26 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1105000.07F\SYMTDIV.SYS [2009-11-22 340016]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe [2009-12-09 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-01-04 102448]

.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.14\DriverRobot.exe [2009-11-25 22:35]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 03:38]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 03:38]

2010-03-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-04-24 18:56]

2010-03-09 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Owner.job
- c:\program files\Norton Internet Security\Engine\17.5.0.127\navw32.exe [2010-01-11 06:08]

2010-03-08 c:\windows\Tasks\User_Feed_Synchronization-{58DC66B5-296B-48CE-8042-012A39440E52}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\lq42bxut.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
AddRemove-4shared Desktop - c:\program files\4shared Desktop\uninstall.exe
AddRemove-Advanced Guards IV by Puma Man - c:\program files\Bethesda Softworks\Morrowind\Data Files\Uninstal.exe
AddRemove-Baldur's Gate Tutu - c:\program files\BaldursGateTutu\Uninst.isu
AddRemove-CDisplay_is1 - c:\program files\Trillian\users\IMVU\CDisplay\unins000.exe
AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII 2\Uninst.isu
AddRemove-Hamachi - c:\program files\Hamachi\uninstall.exe
AddRemove-InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E} - c:\progra~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe
AddRemove-Kumiko Manor 2.15 - c:\program files\Bethesda Softworks\Oblivion\Data\UninstalKumikoManor.exe
AddRemove-Launcher - c:\program files\Trillian\users\IMVU\New Folder\Launcher\uninstall.exe
AddRemove-My HP Game Console - c:\program files\HP Games\My HP Game Console\Uninstall.exe
AddRemove-NWN2DW1 - c:\users\Owner\Documents\Neverwinter Nights 2\modules\DW1Uninstall.exe
AddRemove-NWN2DW2 - g:\nwn2\modules\DW2Uninstall.exe
AddRemove-NWN2LuteHero - g:\nwn2\modules\LuteHeroUninstall.exe
AddRemove-PCGen5141 - c:\program files\PCGen\uninstall-PCGen5141.exe
AddRemove-PopCap Browser Plugin - c:\program files\PopCap Games\PopCap Browser Plugin\Uninstall.exe
AddRemove-Scourge of the Lich Father - c:\progra~1\BETHES~1\MORROW~1\Setup.exe
AddRemove-Scourge of the Lich Father - Act I - c:\progra~1\BETHES~1\MORROW~1\Setup.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-Stella_is1 - c:\program files\Trillian\users\IMVU\New Folder\New Folder (2)\Stella\unins000.exe
AddRemove-Web Games Player Plugin - c:\program files\Zylom Games\UninstallPlugin.exe
AddRemove-Westward_is1 - c:\program files\Westward\ReflexiveArcade\unins000.exe
AddRemove-WildTangent hpdesktop Master Uninstall - c:\program files\HP Games\Uninstall.exe
AddRemove-WT015877 - c:\program files\WildGames\FATE\Uninstall.exe
AddRemove-WT017697 - c:\program files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe
AddRemove-WT017707 - c:\program files\HP Games\Blackhawk Striker 2\Uninstall.exe
AddRemove-WT017717 - c:\program files\HP Games\Blasterball 3\Uninstall.exe
AddRemove-WT017727 - c:\program files\HP Games\Bookworm Deluxe\Uninstall.exe
AddRemove-WT017737 - c:\program files\HP Games\Bounce Symphony\Uninstall.exe
AddRemove-WT017757 - c:\program files\HP Games\Chuzzle Deluxe\Uninstall.exe
AddRemove-WT017767 - c:\program files\HP Games\Crystal Maze\Uninstall.exe
AddRemove-WT017777 - c:\program files\HP Games\Diner Dash\Uninstall.exe
AddRemove-WT017787 - c:\program files\HP Games\Family Feud\Uninstall.exe
AddRemove-WT017807 - c:\program files\HP Games\Final Drive Nitro\Uninstall.exe
AddRemove-WT017817 - c:\program files\HP Games\Flip Words\Uninstall.exe
AddRemove-WT017827 - c:\program files\HP Games\Insaniquarium Deluxe\Uninstall.exe
AddRemove-WT017837 - c:\program files\HP Games\JEOPARDY\Uninstall.exe
AddRemove-WT017847 - c:\program files\HP Games\Jewel Quest\Uninstall.exe
AddRemove-WT017877 - c:\program files\HP Games\Mah Jong Quest\Uninstall.exe
AddRemove-WT017887 - c:\program files\HP Games\Otto\Uninstall.exe
AddRemove-WT017897 - c:\program files\HP Games\Overball\Uninstall.exe
AddRemove-WT017907 - c:\program files\HP Games\Penguins!\Uninstall.exe
AddRemove-WT017917 - c:\program files\HP Games\Phoenix Assault\Uninstall.exe
AddRemove-WT017927 - c:\program files\HP Games\Polar Bowler\Uninstall.exe
AddRemove-WT017937 - c:\program files\HP Games\Polar Golfer\Uninstall.exe
AddRemove-WT017947 - c:\program files\HP Games\Polar Tubing\Uninstall.exe
AddRemove-WT017967 - c:\program files\HP Games\Ricochet Lost Worlds\Uninstall.exe
AddRemove-WT017977 - c:\program files\HP Games\SCRABBLE\Uninstall.exe
AddRemove-WT018007 - c:\program files\HP Games\Super Granny\Uninstall.exe
AddRemove-WT018017 - c:\program files\HP Games\Tradewinds\Uninstall.exe
AddRemove-WT018027 - c:\program files\HP Games\Wheel of Fortune\Uninstall.exe
AddRemove-WT018037 - c:\program files\HP Games\Zuma Deluxe\Uninstall.exe
AddRemove-WT018860 - c:\program files\HP Games\Cue Master\Uninstall.exe
AddRemove-WT020464 - c:\program files\HP Games\Cake Mania\Uninstall.exe
AddRemove-Yahoo! Companion - c:\progra~1\Yahoo!\Common\unyt.exe
AddRemove-{A2F166A0-F031-4E27-A057-C69733219434}_is1 - c:\program files\Runes of Magic\unins000.exe
AddRemove-{B06AE767-451E-4F27-992F-8D6AE30D6D7E}_is1 - c:\dsgamemaker\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 07:33
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84F3A1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82fe4d1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> 0x84f391f8
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x82195467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x82195467
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2090761685-823128311-3762642675-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,f2,ed,ec,48,38,34,04,c3,1a,96,bd,61,a7,a8,d4,61,eb,46,f2,a5,1b,18,
0e,02,d8,8a,80,85,56,f2,4d,84,e5,31,02,7b,89,eb,c8,a1,2c,be,70,f9,26,f2,9e,\
"??"=hex:b0,a2,2b,20,7f,dd,c7,a7,18,c4,37,28,66,aa,53,aa

[HKEY_USERS\S-1-5-21-2090761685-823128311-3762642675-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:9e,c3,11,ee,fb,f6,d0,e7,71,15,cf,47,cc,8a,f3,83,35,e1,9a,a1,bd,
2d,5f,fa,09,47,26,af,41,bf,8c,b2,26,95,f1,e2,bd,63,fc,82,1b,8c,63,b2,60,4b,\
"rkeysecu"=hex:d2,ca,7d,85,37,2d,d9,1c,a9,74,6e,5d,29,69,70,f6

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(976)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\hp\kbd\kbd.exe
c:\program files\Vista & XP Virtual Desktops\Virtual Desktops.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-03-09 07:56:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 15:56
ComboFix2.txt 2009-07-26 07:33

Pre-Run: 75,174,830,080 bytes free
Post-Run: 75,556,433,920 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - AFA0539F6CFC792D99E6FBAA663ED197

AdvancedSetup · 03-10-2010, 01:55 AM

Sorry for the delay. You still have a few issues I'm checking up on to make sure we get them corrected for you. I should have an answer sometime tomorrow for you.

Thanks

AdvancedSetup · 03-10-2010, 04:39 PM

You also have too many active live protection programs. I would recommend removal of Spyware Doctor or at least disable it from active protection and only use it as an on demand scanner. As for iObit well they are pretty much useless in my opinion but it's up to you.

Please follow the directions below.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Code:

http://www.techsupportforum.com/f50/system-infected-with-vista-antivirus-2010-malware-467258.html#post2629931

Driver::
XDva143
File::
c:\windows\system32\CF18335.exe
c:\windows\system32\CF8388.exe
c:\windows\system32\XDva143.sys
Collect::
C:\kwroapow.sys
FireFox::
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\lq42bxut.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Articles

Our Communities

Automotive Communities

RV & Travel Trailer Communities

Marine Communities