20 replies to this topic

[snorlax]

Good Morning...

I posted yesterday in another part of this forum that MBAM was freezing, during a COMPLETE scan, on the file

C:\Windows\ServicePackFiles\i386\mouse_c.htm .

An admin, Yardbird, suggested that I follow up here with a HJT log and an MBAM log.
As to removing anti-virus, my employer put Symantec on this computer & I cannot remove it



HJT gives the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:14 AM, on 9/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garritan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O17 - HKLM\Software\..\Telephony: DomainName = fcnt.franklincollege.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 11319 bytes

================================================================================

A QUICK scan with MBAM yielded this logfile. The window said that there were three issues--the Microsoft Security was disabled, which I assume is OK since I had other anti-spyware and anti-virus running. Here's the logfile, which does not show those three findings:

ALSO:The program showed that it scanned more files than the 6240 shown in the logfile, and the scan took a few minutes, not 30 seconds.

Malwarebytes' Anti-Malware 1.41
Database version: 2832
Windows 5.1.2600 Service Pack 3

9/21/2009 7:59:35 AM
mbam-log-2009-09-21 (07-59-35).txt

Scan type: Quick Scan
Objects scanned: 6240
Time elapsed: 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you in advance for looking at this info...

Jim W.

[AdvancedSetup]

Well since this is a work computer that you don't have FULL control of then I'm not sure we'll be able to assist you or not.

Please run the following scanner if you can and we'll take a look.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[AdvancedSetup]

Please post a status update on this.

[snorlax]

AdvancedSetup, on Sep 29 2009, 06:43 AM, said:

Please post a status update on this.

Good morning...

Yesterday, today, tomorrow are 18+hour days at work. Should be able to go through the recommended procedure on Thursday.
Thanx for your patience; please bear with me.

Jim W.

[AdvancedSetup]

So you got a 2 hour break there I see. 2 Full time jobs for me, but I'll wait for you

[AdvancedSetup]

We will need to get this done by Thursday night otherwise it'll have to wait till next week. I'm going away for the weekend.

[snorlax]

AdvancedSetup, on Sep 30 2009, 11:21 PM, said:

We will need to get this done by Thursday night otherwise it'll have to wait till next week. I'm going away for the weekend.

OK...will attempt early tomorrow am
Thanks.

[snorlax]

snorlax, on Sep 30 2009, 11:24 PM, said:

OK...will attempt early tomorrow am
Thanks.

Will not accept my post containing logs

[snorlax]

Let's try splitting it up...

OK...here we go...

Process was not perfect, but eventually ok...

turned off Symantec AV by stopping the process in services.msc
Disabled Spybot S&D and PCTOOLS spyware doctor.
Ran Combo-Fix.
Combo-Fix gave me an error "some files are corrupt, download again"
I went to safe mode to see what would happen
Reran Combo-Fix.
Same message.
Turned on internet connection & re-downloaded combofix; saved per instructions.

Still in safe mode, ran combofix...Combo-Fix.txt follows...

==============================================================================

ComboFix 09-09-30.06 - Jwilliams 10/01/2009 10:42.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00]
Running from: c:\documents and settings\jwilliams\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\jwilliams\Application Data\Microsoft\Internet Explorer\Quick Launch\wrar351.exe
c:\windows\AUTOLNCH.REG
c:\windows\Installer\126b8f7.msi
c:\windows\Installer\126b8fd.msi
c:\windows\Installer\126b903.msi
c:\windows\Installer\42ee2.msi
c:\windows\Installer\46186.msp

----- BITS: Possible infected sites -----

hxxp://app-sus.fcnt.franklincollege.edu
.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-28 00:53 . 2009-09-28 00:53 -------- d-----w- c:\program files\CCleaner
2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\jwilliams\Local Settings\Application Data\VMware
2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\program files\VMware
2009-09-21 11:52 . 2009-09-21 11:52 -------- d-----w- c:\program files\Trend Micro
2009-09-11 23:13 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-11 23:13 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-09 12:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 14:17 . 2009-03-01 07:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 14:16 . 2008-10-07 18:52 -------- d-----w- c:\program files\OCS Inventory Agent
2009-10-01 14:15 . 2006-10-30 14:20 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-30 12:31 . 2009-07-19 15:04 -------- d-----w- c:\program files\Spyware Doctor
2009-09-30 01:19 . 2008-03-17 14:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Garritan
2009-09-29 04:10 . 2007-07-09 20:13 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Skype
2009-09-29 04:02 . 2007-12-31 22:56 -------- d-----w- c:\documents and settings\jwilliams\Application Data\skypePM
2009-09-28 00:58 . 2009-03-01 06:30 -------- d-----w- c:\program files\Ccy HaHaZip v31
2009-09-19 01:13 . 2007-08-09 22:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\McGraw-HillLicensing
2009-09-12 03:50 . 2009-07-04 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2009-07-04 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-07-04 00:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 12:43 . 2009-04-07 13:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 12:44 . 2007-05-07 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-02 21:15 . 2006-10-30 17:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-02 20:13 . 2006-10-30 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-01 11:05 . 2009-09-01 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-01 11:05 . 2009-07-19 15:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-27 17:32 . 2009-08-27 17:32 -------- d-----w- c:\program files\Bradford Networks
2009-08-26 15:46 . 2007-06-25 22:00 -------- d-----w- c:\program files\Garritan
2009-08-20 03:48 . 2009-08-20 03:48 -------- d-----w- c:\program files\Muspub5
2009-08-19 17:39 . 2009-05-29 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DragAndRun
2009-08-06 23:24 . 2006-10-16 16:55 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-10-16 16:55 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-10-16 16:55 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-05-09 14:50 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-10-16 16:55 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-10-16 16:55 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-10-16 16:55 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 21:03 . 2009-08-05 21:03 -------- d-----w- c:\program files\Zoopysoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:11 . 2006-10-30 17:45 -------- d-----w- c:\program files\Java
2009-07-25 09:23 . 2008-12-01 14:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 11:16 . 2009-07-16 11:16 687104 ----a-w- c:\windows\is-AS9E7.exe
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 15:07 . 2007-06-25 15:07 194776 ----a-w- c:\documents and settings\jwilliams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2007-10-22 23:09 . 2007-10-22 23:09 604 ---ha-w- c:\program files\STLL Notifier
2003-08-27 18:19 . 2007-06-28 05:19 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-06-18 17:16 . 2009-06-18 17:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-06-18 17:36 . 2009-06-18 17:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-08-05 22:18 . 2007-08-05 19:27 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-13 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-13 684032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"bncsaui.exe"="c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2009-02-04 2612960]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HControl"=c:\windows\ATK0100\HControl.exe
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"SAMSUNG Keydefine"=c:\program files\SAMSUNG\Keydefine\KeyDefin.exe
"SM1BG"=c:\windows\SM1BG.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_0.EXE"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\McGraw-Hill\\MH_EZTest\\mysql\\bin\\mysqld.exe"=
"c:\\McGraw-Hill\\MH_EZTest\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/19/2009 11:05 AM 206256]
S0 R592;R592;c:\windows\system32\drivers\R592.sys [10/16/2006 2:01 PM 57088]
S2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/4/2009 9:33 AM 2944736]
S2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Express\Client\EQSharedEngine.exe [2/19/2007 3:44 PM 1521192]
S2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/16/2009 10:24 AM 69632]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
S2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [1/16/2009 6:29 AM 147456]
S3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [6/25/2007 4:02 PM 132992]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 12:04 AM 102448]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/19/2009 11:04 AM 348752]
S3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [11/5/2007 9:05 PM 951284]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garritan.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: garritan.biz\www
Trusted Zone: yellowtools.us\www
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://app-view.franklincollege.edu/downloads/VMware-viewclient.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-__ARIA_2001___is1 - e:\garritan_world_instruments_beta1\World Instruments\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 10:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2114926708-1884511829-1243820751-1149\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{31931AEE-F56E-318D-9727-D76C76F84D41}*]
"mapfacekemhmdokkecddmkcpla"=hex:6f,61,6f,6c,6a,62,6b,62,6d,6c,62,6c,6b,63,67,
66,70,6f,67,62,63,6c,6b,63,66,67,6b,67,63,6e,00,ff
"abcgllipdlckbobddfpdlpignmlfjcmlon"=hex:6d,61,6b,66,68,6e,6f,6e,65,6a,65,64,
68,63,69,67,67,62,6d,6b,66,61,67,69,6f,69,00,ff

[HKEY_LOCAL_MACHINE\software\Classes\CakewalkPlugIns\ç-C;‡ÃFx
**]
"Description"="Cakewal"
"HelpFilePath"=""
"HelpFileTopic"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-10-01 10:51
ComboFix-quarantined-files.txt 2009-10-01 14:50

Pre-Run: 3,768,872,960 bytes free
Post-Run: 3,827,294,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-09-23 20:24

===============================================================================

[snorlax]

For some reason I cannot post the part of the respones with the HJT log.

[snorlax]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:36 AM, on 10/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garritan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} (VMware_VDM_Client Class) - https://app-view.franklincollege.edu/downlo...-viewclient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O17 - HKLM\Software\..\Telephony: DomainName = fcnt.franklincollege.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

--
End of file - 11164 bytes

[snorlax]

This should precede the HJT file:
Got out of safe mode, booted into normal windows, restarted symantec AV service and PCTOOLS Spyware doctor (but not spybot S&D),
re-esatblished internet connectio.

At this point I ranSpyware Doctor--it caught one instance of something so I quarantined it.
Then I ran HJT

Here is latest HJT log:

[snorlax]

COMPLETE RESPONSE: FORUM OBJECTED TO SOME NAMES IN OTHER POST & WOULD NOT ACCEPT RESPONSE:

OK...here we go...

Process was not perfect, but eventually ok...

turned off Symantec AV by stopping the process in services.msc
Disabled Spybot S&D and PCTOOLS spyware doctor.
Ran Combo-Fix.
Combo-Fix gave me an error "some files are corrupt, download again"
I went to safe mode to see what would happen
Reran Combo-Fix.
Same message.
Turned on internet connection & re-downloaded combofix; saved per instructions.

Still in safe mode, ran combofix...Combo-Fix.txt follows...

==============================================================================

ComboFix 09-09-30.06 - Jwilliams 10/01/2009 10:42.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00]
Running from: c:\documents and settings\jwilliams\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\jwilliams\Application Data\Microsoft\Internet Explorer\Quick Launch\wrar351.exe
c:\windows\AUTOLNCH.REG
c:\windows\Installer\126b8f7.msi
c:\windows\Installer\126b8fd.msi
c:\windows\Installer\126b903.msi
c:\windows\Installer\42ee2.msi
c:\windows\Installer\46186.msp

----- BITS: Possible infected sites -----

hxxp://app-sus.fcnt.franklincollege.edu
.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-28 00:53 . 2009-09-28 00:53 -------- d-----w- c:\program files\CCleaner
2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\jwilliams\Local Settings\Application Data\VMware
2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\program files\VMware
2009-09-21 11:52 . 2009-09-21 11:52 -------- d-----w- c:\program files\Trend Micro
2009-09-11 23:13 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-11 23:13 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-09 12:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 14:17 . 2009-03-01 07:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 14:16 . 2008-10-07 18:52 -------- d-----w- c:\program files\OCS Inventory Agent
2009-10-01 14:15 . 2006-10-30 14:20 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-30 12:31 . 2009-07-19 15:04 -------- d-----w- c:\program files\Spyware Doctor
2009-09-30 01:19 . 2008-03-17 14:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Garritan
2009-09-29 04:10 . 2007-07-09 20:13 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Skype
2009-09-29 04:02 . 2007-12-31 22:56 -------- d-----w- c:\documents and settings\jwilliams\Application Data\skypePM
2009-09-28 00:58 . 2009-03-01 06:30 -------- d-----w- c:\program files\Ccy HaHaZip v31
2009-09-19 01:13 . 2007-08-09 22:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\McGraw-HillLicensing
2009-09-12 03:50 . 2009-07-04 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2009-07-04 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-07-04 00:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 12:43 . 2009-04-07 13:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 12:44 . 2007-05-07 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-02 21:15 . 2006-10-30 17:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-02 20:13 . 2006-10-30 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-01 11:05 . 2009-09-01 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-01 11:05 . 2009-07-19 15:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-27 17:32 . 2009-08-27 17:32 -------- d-----w- c:\program files\Bradford Networks
2009-08-26 15:46 . 2007-06-25 22:00 -------- d-----w- c:\program files\Garritan
2009-08-20 03:48 . 2009-08-20 03:48 -------- d-----w- c:\program files\Muspub5
2009-08-19 17:39 . 2009-05-29 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DragAndRun
2009-08-06 23:24 . 2006-10-16 16:55 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-10-16 16:55 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-10-16 16:55 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-05-09 14:50 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-10-16 16:55 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-10-16 16:55 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-10-16 16:55 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 21:03 . 2009-08-05 21:03 -------- d-----w- c:\program files\Zoopysoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:11 . 2006-10-30 17:45 -------- d-----w- c:\program files\Java
2009-07-25 09:23 . 2008-12-01 14:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 11:16 . 2009-07-16 11:16 687104 ----a-w- c:\windows\is-AS9E7.exe
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 15:07 . 2007-06-25 15:07 194776 ----a-w- c:\documents and settings\jwilliams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2007-10-22 23:09 . 2007-10-22 23:09 604 ---ha-w- c:\program files\STLL Notifier
2003-08-27 18:19 . 2007-06-28 05:19 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-06-18 17:16 . 2009-06-18 17:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-06-18 17:36 . 2009-06-18 17:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-08-05 22:18 . 2007-08-05 19:27 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-13 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-13 684032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"bncsaui.exe"="c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2009-02-04 2612960]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HControl"=c:\windows\ATK0100\HControl.exe
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"SAMSUNG Keydefine"=c:\program files\SAMSUNG\Keydefine\KeyDefin.exe
"SM1BG"=c:\windows\SM1BG.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_0.EXE"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\McGraw-Hill\\MH_EZTest\\mysql\\bin\\mysqld.exe"=
"c:\\McGraw-Hill\\MH_EZTest\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/19/2009 11:05 AM 206256]
S0 R592;R592;c:\windows\system32\drivers\R592.sys [10/16/2006 2:01 PM 57088]
S2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/4/2009 9:33 AM 2944736]
S2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Express\Client\EQSharedEngine.exe [2/19/2007 3:44 PM 1521192]
S2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/16/2009 10:24 AM 69632]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
S2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [1/16/2009 6:29 AM 147456]
S3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [6/25/2007 4:02 PM 132992]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 12:04 AM 102448]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/19/2009 11:04 AM 348752]
S3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [11/5/2007 9:05 PM 951284]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garritan.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: garritan.biz\www
Trusted Zone: yellowtools.us\www
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://app-view.franklincollege.edu/downloads/VMware-viewclient.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-__ARIA_2001___is1 - e:\garritan_world_instruments_beta1\World Instruments\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 10:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2114926708-1884511829-1243820751-1149\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{31931AEE-F56E-318D-9727-D76C76F84D41}*]
"mapfacekemhmdokkecddmkcpla"=hex:6f,61,6f,6c,6a,62,6b,62,6d,6c,62,6c,6b,63,67,
66,70,6f,67,62,63,6c,6b,63,66,67,6b,67,63,6e,00,ff
"abcgllipdlckbobddfpdlpignmlfjcmlon"=hex:6d,61,6b,66,68,6e,6f,6e,65,6a,65,64,
68,63,69,67,67,62,6d,6b,66,61,67,69,6f,69,00,ff

[HKEY_LOCAL_MACHINE\software\Classes\CakewalkPlugIns\ç-C;‡ÃFx
**]
"Description"="Cakewal"
"HelpFilePath"=""
"HelpFileTopic"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-10-01 10:51
ComboFix-quarantined-files.txt 2009-10-01 14:50

Pre-Run: 3,768,872,960 bytes free
Post-Run: 3,827,294,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-09-23 20:24

===============================================================================

Got out of safe mode, booted into normal windows, restarted symantec AV service and PCTOOLS Spyware doctor (but not spybot S&D),
re-esatblished internet connection.

At this point I ranSpyware Doctor--it caught one instance of A TROJAN in the registry involving "NAME OF PROGRAM" so I quarantined it.
I did not delete anything COmboFix installed.
Then I ran HJT

Here is latest HJT log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:36 AM, on 10/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garritan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} (VMware_VDM_Client Class) - https://app-view.franklincollege.edu/downlo...-viewclient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O17 - HKLM\Software\..\Telephony: DomainName = fcnt.franklincollege.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

--
End of file - 11164 bytes

============================

[snorlax]

Hi...
I must have done something bad here...

Combofix said it needed to load Windows recovery console, so I let it.
Now when I boot up, I am asked if I want to boot to Windows recovery console or directly to XP.
What can I do to undo this?
What did I do to make it do that?
Thanx

[snorlax]

I got out of it & restored regular boot.

[AdvancedSetup]

It installed the Recovery Console on purpose and will automatically time out to normal Windows boot.


Okay well you've got a major issue here. You can only have one Anti-Virus product installed at a time as they will cause conflicts with each other.
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

This file here is a bit odd and I could not find conclusive data to say if it was good or bad but based on it's location I would say it's bad.
2007-08-05 22:18 . 2007-08-05 19:27 608 --sha-w- c:\windows\system32\winzvprt5.sys

If you look here: BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *
Something is preventing CHKDSK the Disk Check from running when you reboot.
/P \??\Volume: Schedules an unconditional Chkdsk against the volume.

If you really want to find out what the issue and problems are with MBAM locking up then I think we need to remove some stuff and isolate the cause.
This takes some time and you can't just instantly re-install the software because you think it's okay or not the issue.

I really don't have enough time to do this because I'm going out of town tomorrow afternoon for the weekend.

If it were my machine here is what I would do.

Uninstall all of the following

1. All Anti-Virus
2. Disable and move this file until you know for sure if it's safe or not. c:\windows\system32\winzvprt5.sys
3. Uninstall the Acronis software
4. Uninstall Spyware Doctor
5. Remove all Toolbars
6. Rollback to IE7 for now
7. Start a DOS prompt and run CHKDSK C: /F and reboot and make sure that Disk Check runs. With all this other software removed it should run.
If it's still not running then you need to find out why. It could also be an old Chipset driver or something like that.

Is this computer running ON VMware or it has VMware installed?

[AdvancedSetup]

Please post a status update on this so I know what's going on.

Thanks.

[snorlax]

Ron,
Hope you had a nice weekend...I did ;-)

I think the best thing for me to do here is to take the computer to my IT dep't and heve them reimage it.
I'll do that within the next couple days.

Before I end this thread, though, I do have a few questions.

In NO way are these questions intended to doubt anyone's or anything's skill. I am just seeking to LEARN here.

1. I have heard conflicting advice on this matter...what is your advice? I value it. I have Symantec AV, provided by my employer, with resident protection. I also have PCTOOLS withOUT Anti-Virus but WITH the "intelli-scan" function activated. I also have Spybot S&D with resident protection. I have picked up from you and several people here that the resident parts may conflict. Am I harming myself here?

2. When MBAM freezes while scanning file X, can that indicate a problem in some other file Y? Does MBAM's freezing always indicate a problem with the computer somewhere? Does it always imply the existence of malware somewhere on the computer?

3. ZVPRT5 is a print driver from zan1011.com . Since you recommend its removal, I will remove it, but I scanned it with all my other tools and it seems to be 100% benign.

4. IMPORTANT: Combo-Fix seems to have left behind some stuff I need to deal with...I was able to stop the computer from booting into the menu making me choose between recovery console and regular XP. But there are two directories or so left behind that I don't know what to do with, and Pctools finds 106 registry entries that ComboFix seems to have left behind. Can I delete those directories and those 106 registry entries? It calls them "Application NirCmd," which I understand to mean that these are probably helpful items, placed by a friendly program, that could be malicious if placed by an UNfriendly source.

5. IMPORTANT: There is a folder called QOOBOX which seems to contain some things that have been quarantined by ComboFix. Correct? One item I noticed was WRAR351.exe. As far as I can tell, this is innocuous. I googled it and it seems that some programs flag it as an FP. What's in this QOOBOX folder? Can I kill it?

6. Here is text from a file called ComboFix-Quarantined-files.txt in that folder

2009-10-01 14:48:12 . 2009-10-01 14:48:12 2,198 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-__ARIA_2001___is1.reg.dat
2009-10-01 14:45:13 . 2009-10-01 14:45:13 12,974 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-10-01 14:37:21 . 2009-10-01 14:37:21 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2007-11-24 23:22:03 . 2007-11-24 23:22:03 1,214,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ee2.msi.vir
2007-11-13 23:39:28 . 2007-11-13 23:39:28 631,808 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\126b903.msi.vir
2007-11-13 23:39:11 . 2007-11-13 23:39:11 623,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\126b8fd.msi.vir
2007-11-13 23:38:56 . 2007-11-13 23:38:56 1,214,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\126b8f7.msi.vir
2007-07-02 18:53:11 . 2009-07-08 21:22:04 1,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\AUTOLNCH.REG.vir
2007-06-26 05:48:32 . 2005-11-17 20:48:04 1,014,477 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\jwilliams\Application Data\Microsoft\Internet Explorer\Quick Launch\wrar351.exe.vir
2006-10-16 18:20:28 . 2009-10-01 14:08:35 5,417 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2006-10-16 18:20:28 . 2009-10-01 14:08:35 5,417 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2005-08-08 18:25:44 . 2005-08-08 18:25:44 97,385,984 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\46186.msp.vir

Are all these items malware/viruses? Can I delete the QOOBOX folder

Again, I am NOT questioning or doubting anyone or anything. I am only trying to learn. I'd appreciate your answers.
With appreciation,
Jim W.

[AdvancedSetup]

1. A lot depends on how the driver and process is implemented. I've not run this particular implementation myself so I can't speak directly to it.
Basically what happens is this as an example:
You're browsing a Website and then maybe some link or script attempts to download Malware onto your system.
A. Symantec AV kicks in and attempts to manage the threat
B. PCTOOLS also kick in and attempts to manage the threat
C. Spybot S&D also kick in and attempts to manage the threat
D. If you're using MBAM Protection Module then it also kicks in and attempts to manage the threat

So you now have potentially 4 products attempting to stop this infection. In a rare case it might be possible for one of these products to see the other one also attempting to intercept this threat and it "might" block the other tool which then often causes a freezing issue.
In such a case even if it did not lock the box completely it's possible that in so doing maybe the threat was able to bypass the protection and get started installing.
Another scenario is that maybe due to conflict the threat is only partially stopped, or maybe not detected at all because of conflicts.
It's also quite possible that they will operate in harmony with each other, but experience for most users indicates this is often not the case.
Long story short... it's best not to have multiple programs running in live continuous protection mode unless you're will to take the time and effort required to ensure that it does not conflict.

2. There are reported files that have in the past caused reading issues for the program. We have updated the program to attempt to prevent this from happening but it's possible that you have some file or setting or other software on the system that we're just not aware of that is causing this.

3. I did not recommend that you remove it. I asked that you check it more and verify as I was not sure what it was.
Moving or renaming it until you know for sure if it was safe or not.

4. Please run the following to remove any tools that might have been used during the scanning and cleaning of your system.

STEP A
[indent]Uninstall ComboFix.exe

• Click START then RUN
  
• Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
• [indent][/indent]
  
• When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed[/indent]


5. See solution for #4

6. See solution for #4


Remove all but the most recent Restore Point on Windows XP

[indent]You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  
• Give the new Restore Point a name, then click "Create".
  
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use the Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to Start > Run and type: Cleanmgr.exe
  
• Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.
  
• On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
  
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

[indent] [/indent]

Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore[/indent]

[snorlax]

Many thanks for your kind and patient answers, Ron
As you can see, I am a bit spooked and frazzled by all this malware stuff...though I am backed up.
About the zvprt file...actually, I just moved it to a cd with a few other things and can put it back...I figured I'd just move it off for a while as all this was going on.
Again, thanks.
Jim W.