backdoor trojan thoroughly cleaned from computer by malwarebytes?

Hi guys,
I clicked on a video site that was linked to a forum, and instead of a video that I thought I would see I get bombarded with ads saying that I need antivirus protection because my computer is compromised. So I run Symantec Endpoint Protection which reports a clean bill of health. Still suspicious, I download Malwarebytes and get this log:

Malwarebytes' Anti-Malware 1.44
Database version: 3581
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/17/2010 2:55:00 AM
mbam-log-2010-01-17 (02-55-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 293554
Time elapsed: 1 hour(s), 1 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\Microsoft\1.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

Hijack This produces the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:52 PM, on 1/17/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Input Director\InputDirector.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Brain\Downloads\Programs\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [InputDirector] "C:\Program Files\Input Director\InputDirector.exe" /hide
O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: acaptuser32.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Input Director Vista Service (IDVistaService) - Unknown owner - C:\Program Files\Input Director\IDVistaService.exe
O23 - Service: Input Director Service (InputDirector) - Unknown owner - C:\Program Files\Input Director\IDWinService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8381 bytes

My question is--has the backdoor trojan really been successfully deleted--ie do I still have to worry about my computer being compromised and others able to gain access even though the backdoor trojan is deleted? The compromised computer is working as a slave via input director. Do I have to worry about the master too if the only files shared are video files?

thank you very much!

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

ComboFix 10-01-16.04 - Brain 01/17/2010 22:40:00.1.2 - x86
Black Edition Team Windows Vista Eternity 2009 6.0.6002.2.1252.1.1033.18.2045.931 [GMT -8:00]
Running from: c:\users\Brain\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3332083203-2331493622-2915005996-1000
c:\$recycle.bin\S-1-5-21-464259759-2728185566-4160668108-1000
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\windows\system32\Microsoft\2.exe
c:\windows\system32\Microsoft\3.EXE

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 02:56 . 2010-01-18 02:56 -------- d-----w- c:\program files\JavaRa
2010-01-18 02:52 . 2010-01-18 02:52 -------- d-----w- c:\program files\Common Files\Java
2010-01-18 02:52 . 2010-01-18 02:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-18 02:52 . 2010-01-18 02:52 -------- d-----w- c:\program files\Java
2010-01-18 02:47 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\CCERASER.DLL
2010-01-18 02:47 . 2009-10-19 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\ECMSVR32.DLL
2010-01-18 02:47 . 2009-09-17 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\NAVENG.SYS
2010-01-18 02:47 . 2009-09-17 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\EECTRL.SYS
2010-01-18 02:47 . 2009-09-17 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\NAVENG32.DLL
2010-01-18 02:47 . 2009-09-17 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\NAVEX32A.DLL
2010-01-18 02:47 . 2009-09-17 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\NAVEX15.SYS
2010-01-18 02:47 . 2009-09-17 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100117.019\ERASER.SYS
2010-01-17 09:51 . 2010-01-17 09:51 -------- d-----w- c:\users\Brain\AppData\Roaming\Malwarebytes
2010-01-17 09:51 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 09:51 . 2010-01-17 09:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 09:51 . 2010-01-17 09:51 -------- d-----w- c:\programdata\Malwarebytes
2010-01-17 09:51 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 02:23 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\CCERASER.DLL
2010-01-17 02:23 . 2009-10-19 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\ECMSVR32.DLL
2010-01-17 02:23 . 2009-09-17 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\NAVENG.SYS
2010-01-17 02:23 . 2009-09-17 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\EECTRL.SYS
2010-01-17 02:23 . 2009-09-17 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\NAVENG32.DLL
2010-01-17 02:23 . 2009-09-17 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\NAVEX32A.DLL
2010-01-17 02:23 . 2009-09-17 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\NAVEX15.SYS
2010-01-17 02:23 . 2009-09-17 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.021\ERASER.SYS
2010-01-16 20:07 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 20:07 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 06:45 . 2008-11-30 06:31 665172 ----a-w- c:\windows\system32\perfh00A.dat
2010-01-18 06:45 . 2008-11-30 06:31 336590 ----a-w- c:\windows\system32\prfh0404.dat
2010-01-18 06:45 . 2008-11-30 06:31 325788 ----a-w- c:\windows\system32\prfh0804.dat
2010-01-18 06:45 . 2008-11-30 06:31 129092 ----a-w- c:\windows\system32\perfc00A.dat
2010-01-18 06:45 . 2008-11-30 06:31 100982 ----a-w- c:\windows\system32\prfc0404.dat
2010-01-18 06:45 . 2008-11-30 06:31 100976 ----a-w- c:\windows\system32\prfc0804.dat
2010-01-17 11:04 . 2008-11-30 07:22 -------- d-----w- c:\programdata\Microsoft Help
2010-01-17 11:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-25 16:51 . 2008-11-30 06:59 -------- d-----w- c:\programdata\Roxio
2009-12-25 11:20 . 2008-11-30 06:34 -------- d-----w- c:\programdata\NVIDIA
2009-12-25 09:02 . 2009-12-05 02:53 87021 ----a-w- c:\programdata\nvModes.dat
2009-12-14 09:00 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-12-05 02:51 . 2009-12-05 02:50 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-28 16:57 . 2008-12-08 04:03 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-11-28 16:57 . 2009-11-28 16:57 -------- d-----w- c:\programdata\ACD Systems
2009-11-28 16:57 . 2009-11-28 16:57 -------- d-----w- c:\program files\ACD Systems
2009-11-23 11:28 . 2008-11-30 05:16 116872 ----a-w- c:\users\Brain\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-23 11:06 . 2008-11-30 07:26 -------- d-----w- c:\program files\Microsoft Works
2009-11-22 11:31 . 2009-11-22 11:31 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-22 11:31 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-22 11:31 . 2009-11-22 11:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-22 11:30 . 2009-11-22 11:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-21 06:40 . 2009-12-13 00:50 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-13 00:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-13 00:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-13 00:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-21 04:33 . 2009-11-21 04:33 66664 ----a-w- c:\windows\system32\nvshext.dll
2009-11-21 02:34 . 2009-12-05 02:48 76392 ----a-w- c:\windows\system32\OpenCL.dll
2009-11-21 02:34 . 2009-12-05 02:48 2243176 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34 . 2009-12-05 02:48 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34 . 2009-12-05 02:48 182888 ----a-w- c:\windows\system32\nvcod178.dll
2009-11-21 02:34 . 2009-12-05 02:48 11381352 ----a-w- c:\windows\system32\nvcompiler.dll
2009-11-20 05:42 . 2007-09-17 16:07 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-09 12:31 . 2009-12-13 11:03 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-13 11:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-13 11:03 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 09:17 . 2009-11-25 11:02 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-16 18:03 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"InputDirector"="c:\program files\Input Director\InputDirector.exe" [2008-09-09 372736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-09-16 1008184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-10-03 115560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2007-4-10 1695744]
RocketDock.lnk - c:\program files\RocketDock\RocketDock.exe [2008-9-17 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d5,8d,6a,48,e1,40,ca,01

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/25/2009 4:23 PM 102448]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [9/16/2008 10:02 AM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [9/16/2008 10:02 AM 251904]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [12/7/2008 7:34 PM 717296]
S2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [9/9/2008 3:03 PM 32768]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [10/3/2007 2:29 PM 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [9/16/2008 9:51 AM 21504]
S3 IDVistaService;Input Director Vista Service;c:\program files\Input Director\IDVistaService.exe [2/24/2008 2:07 AM 13824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Brain\AppData\Roaming\Mozilla\Firefox\Profiles\llu5ev6x.default\
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 22:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.032"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.abr"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.ani"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.apd"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.arw"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.bay"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.bmp"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.bw"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.cr2"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.crw"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.cs1"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.cur"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.dcr"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.dcx"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.dib"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.djv"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.djvu"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.dng"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.emf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.eps"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.erf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.fff"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.fpx"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.gif"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.hdr"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.icl"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.icn"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.iff"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.ilbm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.int"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.inta"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.iw4"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.j2c"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.j2k"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jbr"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jfif"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jif"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jp2"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jpc"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jpe"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jpeg"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jpg"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jpk"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.jpx"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.kdc"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.lbm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.mef"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.mos"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.mrw"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.nef"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.nrw"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.orf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pbm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pbr"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pcd"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pct"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pcx"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pef"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pgm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pic"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pict"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pix"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.png"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.ppm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.psd"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.psp"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pspbrush"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.pspimage"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.raf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.ras"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.raw"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.rgb"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.rgba"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.rle"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.rsb"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.rw2"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.rwl"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.sgi"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.sr2"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.srf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.tga"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.thm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.tif"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.tiff"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.ttc"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.ttf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v25po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.v25po"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v25pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.v25pp"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v25ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.v25ppf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30po"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30pp"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30ppf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.wbm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.wbmp"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.wmf"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xbm"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xif"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xmp"

[HKEY_USERS\S-1-5-21-2316509089-3055685279-2806351483-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xpm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-17 22:50:38
ComboFix-quarantined-files.txt 2010-01-18 06:50

Pre-Run: 79,266,930,688 bytes free
Post-Run: 81,361,780,736 bytes free

- - End Of File - - 174CA7010861341F80C23F8A96700654

Running from: C:\Users\Brain\Desktop\Win32kDiag.exe

Log file at : C:\Users\Brain\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\CSC\v2.0.6\pq

[1] 2008-11-29 20:48:10 64 C:\Windows\CSC\v2.0.6\pq ()



Cannot access: C:\Windows\CSC\v2.0.6\temp\ea-{d8a5c867-be99-11dd-8014-edfc6cad4e18}

[1] 2008-11-29 20:48:10 0 C:\Windows\CSC\v2.0.6\temp\ea-{d8a5c867-be99-11dd-8014-edfc6cad4e18} ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2010-01-18 15:07:39 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2010-01-18 15:07:21 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl

[1] 2010-01-18 15:07:07 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2010-01-18 15:07:21 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2010-01-18 15:07:21 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()





Finished!

Please navigate to this webpage: http://support.microsoft.com/kb/313222 and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

==

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Dragonmaster Jay,
I am a newbie, so please bear with my questions (to increase my computer knowledge):
1) after malwarebytes originally alerted me to the trojan, it quarantined and deleted it, so what does combofix and win32kdiag do that malwarebytes can not/did not? why do you need to run another final malwarebytes scan if it had already deleted the trojan? do you expect something new to pop up after combofix and win32kdiag do their thing?
2) as I had stated in the first post, the infected computer is a slave but can access a data-only folder (videos) in the master computer. can I assume the master is not compromised by the backdoor trojan? I ran malwarebytes through the master and nothing came up
3) should I dump symantec endpoint and go for either Avira or Kapersky? Which firewall in your list do you recommend?


Malwarebytes' Anti-Malware 1.44
Database version: 3596
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18865

1/18/2010 9:05:33 PM
mbam-log-2010-01-18 (21-05-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 291798
Time elapsed: 43 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

No problem. Most of the victims of malware are usually "newbies" - so don't feel left out.

To answer 1: ComboFix is an automation tool for us helpers, which scans for files that are not authentic, and also scans deeper for rootkits. Win32KDiag is a diagnostic tool to check how much control the user has over the system, because a lack of control may mean a rootkit is lurking around. I want to make sure your system is fully clean, so the infections do not come back. So, rescanning is important to make sure it is gone.

To answer 2: The master may be fine, as long as you do not double-click on any EXE files or any other programs located in the slave.

To answer 3: Symantec Endpoint is not bad. I prefer Kaspersky over anything, but that is my choice. Kaspersky products are at premium prices, which many people may find unreasonable. Avira Free is a very good choice, and would be a good replacement.

I will give you firewall suggestions in my last post in this topic.

If you like learning about this, you should try out GeekPolice Academy. I teach in there as well as Belahzur.

=====

It is time to check for rootkit, with that said please do the following:

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

thank you for your help so far Dragonmaster Jay...anyway, I tried to run gmer in regular mode but the program stopped working mid-scan and a popup notified me that gmer has stopped working, a problem has caused the program to stop working correctly. I closed it and the computer automatically rebooted. I tried it again in safe mode and the same thing happened....

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.



Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

Dragonmaster Jay,
tried as above, and gmer ran a little further this time, but the program stops scanning once gmer reaches
\device\hardiskvolumeshadowcopy1

at which point I receive the same popup notifying me that a problem has caused it to stop working..

Ok. Try to right click on it and run it as Administrator.

Then, see what happens.

I ran as admin, and still the program crashes...
anyway, I am now thinking about wiping the hard drive (not hard to do since it's only a slave computer, and I don't have important docs on it) and installing windows 7.

After reading the tutorials in GeekPolice, I am thinking of installing the following:
what do you think?

antivirus - Avira Antivir
antispyware - Spybot or Spywareblaster
firewall - Comodo or Outpost

1) can I also install malwarebytes with the combo above?
2) do I have to disable the windows firewall once I have installed the 3rd party firewall?
3) I assume the antivirus operates in real-time, but the antispyware programs (except for Teatime) and malwarebytes have to be started by me, right? Can I run Teatime in realtime along with an antivirus software?

1) can I also install malwarebytes with the combo above?

All that combination is fine. Yes, you can install Malwarebytes' Anti-Malware along with them.

2) do I have to disable the windows firewall once I have installed the 3rd party firewall?

Yes.

3) I assume the antivirus operates in real-time, but the antispyware programs (except for Teatime) and malwarebytes have to be started by me, right? Can I run Teatime in realtime along with an antivirus software?

Antispyware programs will be realtime too. Not MBAM. And yes, TeaTimer can be run along with an antivirus software.

thank you for all of your help, Dragonmaster Jay! :smile2:

You're welcome.