generic host process for win32 services error

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:07 PM, on 9/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\My Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238030011311
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238068399453
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EF4CE1A-9EF1-4FC9-8C99-9509160953FB}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7056 bytes

I receive a "generic host process for win32 services" error message after i have started up my computer. Also, that problem seems to have an effect on my ip address renewal as well as my sound driver.

Hi

The HijackThis log you posted is clean.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar

Let me know if you decided to uninstall it.

====

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

====

Are you running OpenDNS? Sometimes when OpenDNS is running, it can slow down some web pages.

In your next reply, please include the MBAM log, tell me if you uninstalled Viewpoint, and tell me how your computer is running.

Hi

Thanks for the reply. I have uninstalled the Viewpoint Media Player and downloaded Malwarebytes Anti-Malware as you have suggested. After the installation was complete, I double-clicked on the desktop icon to run the program per your instructions, it did not open. I tried to open the program again and nothing happens. The cursor changes into an hourglass for a second and changes back to the cursor and thats it.

Also, How do I find out if I am running OpenDNS or not.

Thanks again..

Hi

OpenDNS Updater is a sign it is installed, and is usually found in C:\Program Files\OpenDNS Updater

I knew you were running OpenDNS because of this line in the HijackThis log:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EF4CE1A-9EF1-4FC9-8C99-9509160953FB}: NameServer = 208.67.222.222,208.67.220.220

I researched one of the IP addresses found, and here is the result

==

!! NOTICE: This instruction is for jimmyneutr0n only. If you are a lurker reading this, do not attempt it. !!

Please navigate to C:\Program Files\Malwarebytes' Anti-Malware and attempt to rename it to iexplore.exe
Then, double-click that to launch MBAM. Attempt to run a scan, and post the results in your next reply. If you cannot run the scan, please let me know.

Hi

I checked C:\Program Files\OpenDNS Updater and did not find anything just an error "Cannot find 'file:///C:/Program%20Files/OpenDNS%20Updater'. Make sure the path or Internet address is correct."

Also, the tricked worked here is the log from the scan below.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/9/2009 10:40:01 PM
mbam-log-2009-09-09 (22-40-01).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 166042
Time elapsed: 49 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-33cf-aax5-35gx1c642122} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{t5tbb77l-4678-0mkc-421q-14416031dyu6} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\DRam prosessor (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{5BDB5655-6AB7-49EE-89B4-4FEBFDA02D01}\RP95\A0021551.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BDB5655-6AB7-49EE-89B4-4FEBFDA02D01}\RP95\A0021578.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BDB5655-6AB7-49EE-89B4-4FEBFDA02D01}\RP95\A0021603.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BDB5655-6AB7-49EE-89B4-4FEBFDA02D01}\RP95\A0021604.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BDB5655-6AB7-49EE-89B4-4FEBFDA02D01}\RP95\A0021605.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BDB5655-6AB7-49EE-89B4-4FEBFDA02D01}\RP95\A0021606.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\RECYCLER\S-3-3-88-100024247-100023290-100018827-9677.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Hi

ComboFix

Please download ComboFix from Here or Here
Make sure to save the file, not open it, and in the file-name box, rename it to CMF.com
* IMPORTANT !!! Save CMF.com to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective
  programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on CMF.com & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

Hi

Here is the ComboFix log below.

ComboFix 09-09-09.04 - Administrator 09/09/2009 23:33.1.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\cmf.com.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
C:\restore
c:\windows\system32\drivers\gxvxchypixevrswqqlxmqfqjewniqhomuwqgo.sys
c:\windows\system32\drivers\gxvxckiltltbbujnkvxfaorqomxtlrroymnor.sys
c:\windows\system32\drivers\gxvxcoblhrqlxbepcdltnqoliqdibvdbqvrod.sys
c:\windows\system32\drivers\gxvxcovngskltfumuyqvpxurrirpdurwqimge.sys
c:\windows\system32\drivers\gxvxcoyqjpwcdppakxwbdmyxckosbpylltqww.sys
c:\windows\system32\drivers\gxvxcrwqwbrfqjotowuycirkduxdiwbhgqpxe.sys
c:\windows\system32\drivers\gxvxcsibekxidwejxjexgflovngproahcfxhk.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcuyfvvkdaawblrrtjxduyqbppkvruknbw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 02:49 . 2009-09-10 02:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-10 01:51 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 01:51 . 2009-09-10 02:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 01:51 . 2009-09-10 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 01:51 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 22:58 . 2009-09-09 22:58 -------- d-----w- c:\program files\iPod
2009-09-09 22:58 . 2009-09-09 23:01 -------- d-----w- c:\program files\iTunes
2009-09-09 22:58 . 2009-09-09 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 22:55 . 2009-09-09 22:55 -------- d-----w- c:\program files\Bonjour
2009-09-09 22:52 . 2009-09-09 22:54 -------- d-----w- c:\program files\QuickTime
2009-09-09 21:31 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 23:34 . 2009-09-10 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-09-03 00:50 . 2009-09-03 00:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-09-03 00:49 . 2008-02-06 01:00 216064 ----a-w- c:\windows\system32\CNMLM8U.DLL
2009-08-15 20:22 . 2009-08-15 21:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Download Manager
2009-08-13 02:39 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-13 00:32 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 04:06 . 2009-03-03 00:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 01:50 . 2009-03-26 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-09 23:11 . 2009-04-25 21:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 23:03 . 2009-03-26 09:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-09 22:58 . 2009-08-05 02:41 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 21:47 . 2009-06-05 03:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 21:32 . 2009-05-17 22:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 23:27 . 2009-03-26 10:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2009-08-24 23:23 . 2009-04-25 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-08-14 02:27 . 2009-03-26 09:58 -------- d-----w- c:\program files\Vuze
2009-08-05 09:01 . 2009-03-26 00:54 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 04:02 . 2009-08-05 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-05 03:43 . 2009-03-26 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-05 02:43 . 2009-08-05 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 02:42 . 2009-06-01 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-09 18:16 . 2009-08-05 02:41 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 18:16 . 2009-08-05 02:41 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2001-08-23 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-04-14 00:12 . 2001-08-23 12:00 346138 --sh--r- c:\windows\system32\xankoilv.exe
2009-03-02 22:15 . 2009-03-03 00:13 0 --sha-r- c:\windows\vnDrvBas\IO.SYS
2009-03-02 22:15 . 2009-03-03 00:13 0 --sha-r- c:\windows\vnDrvBas\MSDOS.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-04-01 86016]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton AntiVirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [5/13/2009 3:33 AM 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [5/13/2009 3:33 AM 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [5/13/2009 3:33 AM 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [5/13/2009 3:33 AM 274808]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/25 17:45];c:\program files\CyberLink\PowerDVD9\000.fcl [2/28/2009 9:40 PM 87536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/13/2009 3:33 AM 99376]
S4 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {7EF4CE1A-9EF1-4FC9-8C99-9509160953FB} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kbs4pxvc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 23:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,67,d4,f0,c1,4e,6b,4c,82,e6,ba,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,67,d4,f0,c1,4e,6b,4c,82,e6,ba,\

[HKEY_USERS\S-1-5-21-1177238915-651377827-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,69,8d,40,2a,4f,ce,47,ab,ab,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,69,8d,40,2a,4f,ce,47,ab,ab,a1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,69,8d,40,2a,4f,ce,47,ab,ab,a1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-10 0:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 05:01

Pre-Run: 1,428,504,576 bytes free
Post-Run: 2,249,691,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

219 --- E O F --- 2009-09-09 21:58

Hi

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Post the log in your next reply.

Hi

Here is the log for the Quick Scan from Malwarebytes below

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

9/10/2009 6:12:44 PM
mbam-log-2009-09-10 (18-12-44).txt

Scan type: Quick Scan
Objects scanned: 93391
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

Your computer is clean.

You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
===


Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please leave feedback!

Since this issue appears to be solved, this topic is now closed and being marked solved.

If you need the topic reopened, PM an administrator, moderator, or staff.