notmydayjob

then, many thanks. most grateful for your help.

i will do the things you wrote. but, one last question: early on, i had copied files and stuff to a usb drive. i presume it is safe to just plug that back in and scan with antivirus software. i had copied to that drive individual document files and folders but also copied entire 'user folders' from C:\documents and settings\ (i did this becuase i find that microsoft sometimes sticks useful/important stuff in very obscure places.) are these ok to keep (probably have java stuff in there)?

basic computer operations seem ok and i'm back in normal mode not 'safe mode'. the connections to the internet that i've made (to post and download tools, etc.) seem ok. but i have not surfed around much because i've uninstalled antivirus. that's all good! what else to do? some final malware scans? need java back need acrobat reader need to reenable whatever was disabled by defogger need malwarebytes pro version! (do you all have a multicomputer license?)

here is the combofix log: ComboFix 10-05-29.05 - sandy 05/30/2010 10:03:46.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.507 [GMT -4:00] Running from: c:\documents and settings\sandy\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\SET268.tmp c:\program files\Internet Explorer\SET26D.tmp c:\program files\Internet Explorer\SET2DA.tmp c:\program files\Internet Explorer\SET2DB.tmp c:\windows\system32\_000012_.tmp.dll c:\windows\system32\_000017_.tmp.dll c:\windows\system32\_000018_.tmp.dll c:\windows\system32\_000019_.tmp.dll c:\windows\system32\_000020_.tmp.dll c:\windows\system32\_000021_.tmp.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 ))))))))))))))))))))))))))))))) . 2010-05-23 23:27 . 2010-05-23 23:27 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-23 11:22 . 2010-05-23 11:22 -------- d-----w- c:\windows\system32\wbem\Repository 2010-05-15 12:30 . 2010-05-15 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-15 12:20 . 2010-05-23 11:20 -------- d-----w- c:\documents and settings\sandy\Application Data\Apple Computer 2010-05-15 12:16 . 2010-05-15 12:20 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Apple Computer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-30 01:47 . 2006-08-22 13:17 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-30 01:39 . 2006-05-11 12:27 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-05-30 01:39 . 2006-05-11 12:27 -------- d-----w- c:\program files\Symantec 2010-05-30 01:39 . 2006-05-11 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-05-25 00:01 . 2009-05-25 21:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-23 11:23 . 2008-03-15 16:36 -------- d-----w- c:\program files\Bonjour 2010-05-23 11:20 . 2008-03-15 16:35 -------- d-----w- c:\program files\Apple Software Update 2010-05-23 11:20 . 2008-03-15 16:36 -------- d-----w- c:\program files\QuickTime 2010-05-23 11:20 . 2008-03-15 16:36 -------- d-----w- c:\program files\iTunes 2010-05-15 12:30 . 2008-03-15 16:37 -------- d-----w- c:\program files\iPod 2010-05-15 12:30 . 2008-03-15 16:35 -------- d-----w- c:\program files\Common Files\Apple 2010-04-29 19:39 . 2009-09-07 12:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-09-07 12:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-21 10:29 . 2009-08-26 11:43 -------- d-----w- c:\documents and settings\sandy\Application Data\Canon 2010-03-10 06:15 . 2004-08-10 15:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-04 19:01 . 2003-03-19 13:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL 2010-03-04 19:01 . 2003-02-21 20:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL 2009-12-05 02:50 . 2009-12-05 02:50 22 --sha-w- c:\windows\SMINST\HPCD.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "MsmqIntCert"="mqrt.dll" [2008-04-14 177152] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2009-06-19 505128] "ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 1410600] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728] c:\documents and settings\sandy\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176] HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [3/9/2008 2:31 PM 11136] R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [8/25/2009 8:40 PM 37248] R3 scnuhst20;SC NUSB Host 20;c:\windows\system32\drivers\scnuhst20.sys [1/24/2010 11:35 AM 11264] R3 SCNUHUB20;SC NUSB Hub 20;c:\windows\system32\drivers\scnuhub20.sys [1/24/2010 11:35 AM 30080] S3 LKNUCMP;Linksys Network USB Composite Device;c:\windows\system32\drivers\lknucmp.sys [8/26/2009 7:42 AM 11648] . Contents of the 'Scheduled Tasks' folder 2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB FF - ProfilePath - c:\documents and settings\sandy\Application Data\Mozilla\Firefox\Profiles\73aiep8f.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\documents and settings\sandy\Application Data\Mozilla\Firefox\Profiles\73aiep8f.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-30 10:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Z??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(924) c:\windows\system32\igfxdev.dll . Completion time: 2010-05-30 10:11:44 ComboFix-quarantined-files.txt 2010-05-30 14:11 Pre-Run: 68,125,495,296 bytes free Post-Run: 70,844,264,448 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - C1EC0BF27FC072DF017A46056FE8CA51

mouse control has returned (at least for now).

small problem... combofix started but i got a message saying that recovery console is not installed. combofix will either not attempt to fix some serious errors or i can go download the console from the internet. which shall i chose? ALSO, combofix (i presume) has disable the touchpad on the computer, so i have no mouse control. i seem to be able to move around with the arrow keys, but will i need more than this? the computer has a bluetooth mouse but i have to plug the bluetooth receiver into the usb port. will that work at this point? (i do not have a regular wired usb mouse).

ok java gone using javara (log pasted below). also removed java and sun folders manually. i will now run combofix (i tried to run the eset online scan you mentioned earlier but the sequence of events was not exactly as you described. i got to the web site, clicked on 'online scan' and answered yes to the active x question. there was a dialog box open but it was blank and i did not see anything about advanced settings. then a dialog box popped up asking if i wanted to download a file. i don't remember the name of the file. it ended in '.cab'. so i cancelled. i can go back to this if you like. combofix now. here is the log JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Sun May 30 08:24:03 2010 Found and removed: C:\Program Files\Java\jre1.5.0_06 Found and removed: Software\JavaSoft\Java2D\1.5.0_06 Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\JavaPlugin.150_06 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\ Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\ ------------------------------------ Finished reporting.

ok. progress! i've uninstalled norton internet security. (thanks for that link). and i can restart in normal mode. and i was able to uninstall acrobat reader 9.2 (one of the things you wanted me to do early on). so, what to do now? do you want me to go back to your earlier instructions and uninstall java, etc. or run combofix?

still a problem: as before when i tried to uninstall acrobat in 'safe mode' i can not uninstall norton in safe mode. is there another way to do this? i tried to do a normal restart and log in as a different user, but that also just gives me the same very slow system behavior.

i tried your last instructions. i downloaded it as Firefox.com as you indicated and launched it. (your instructions below this point mentions downloading and renaming as 'combo-fix' etc but i think that was a slight error. anyway, i still get the message from combofix that norton internet security is running. this was the problem i encountered a few messages ago. what shall we try next?

i tried your instructions. things began as your animation showed but then i got an error message that read: some files could not be created. please close all applications, reboot windows and restart this installation. i rebooted. (i tried a normal start, but again very slow response to any mouse click, so i restarted again in safe mode) i then tried your instructions again with the same result. what to try next? (is there something corrupt here? i mean besides a possible virus?)

sorry, but i have a catch 22 situation. i downloaded and started combofix. it told me that my norton antivirus was running and that i should disable it. i presumed that it WAS off because when i tried to access my norton antivirus, my computer told me norton can not run in safe mode. and then i got some error messages from norton. but i can not get access to it to do anything with it. so combofix is waiting for me to disable antivirus (or run at my own risk). what now? can i just hold the on/off button until everything shuts down?

i have been running in 'safe mode' because of very slow system response when i try to run windows normally. (actually, running slow in safe mode now, too; winlogon and lsass are using all cpu). anyway, in safe mode, 'add/delete programs' tells me in can not delete adobe reader 9.2. so what to do now i'm posting from a different computer now...

ok, here is the dds log info and the others are attached DDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by sandy at 20:16:13.28 on Tue 05/25/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.799 [GMT -4:00] AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\Documents and Settings\sandy\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [MsmqIntCert] regsvr32 /s mqrt.dll mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe" mRun: [<NO NAME>] mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [RecGuard] c:\windows\sminst\RecGuard.exe mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe" mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [PSDiagnosticM] "c:\program files\linksys wireless-g print server\PSDiagnosticM.exe" mRun: [scanSoft OmniPage SE 4.0-reminder] "c:\program files\scansoft\omnipagese4.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipagese4.0\ereg\ereg.ini" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-NMKU6.exe" /REG StartupFolder: c:\docume~1\sandy\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sandy\applic~1\mozilla\firefox\profiles\73aiep8f.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\documents and settings\sandy\application data\mozilla\firefox\profiles\73aiep8f.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [2008-3-9 11136] R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [2009-8-25 37248] R3 scnuhst20;SC NUSB Host 20;c:\windows\system32\drivers\scnuhst20.sys [2010-1-24 11264] R3 SCNUHUB20;SC NUSB Hub 20;c:\windows\system32\drivers\scnuhub20.sys [2010-1-24 30080] S1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-12-20 54968] S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2006-1-12 191848] S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2006-1-12 202088] S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-1-12 169320] S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328] S2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2006-2-5 139888] S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-8-14 1251720] S3 LKNUCMP;Linksys Network USB Composite Device;c:\windows\system32\drivers\lknucmp.sys [2009-8-26 11648] S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100521.002\NAVENG.Sys [2010-5-21 85552] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100521.002\NavEx15.Sys [2010-5-21 1347504] S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-12-20 337592] S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-12-20 198416] =============== Created Last 30 ================ 2010-05-25 01:21:41 0 ----a-w- c:\documents and settings\sandy\defogger_reenable 2010-05-25 00:00:08 711168 ----a-w- c:\windows\is-NMKU6.exe 2010-05-25 00:00:08 351 ----a-w- c:\windows\is-NMKU6.lst 2010-05-25 00:00:08 10562 ----a-w- c:\windows\is-NMKU6.msg 2010-05-23 23:27:41 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-23 11:22:17 0 d-----w- c:\windows\system32\wbem\Repository 2010-05-15 12:30:25 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} ==================== Find3M ==================== 2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-03-04 19:01:09 348160 ----a-w- c:\windows\system32\MSVCR71.DLL 2010-03-04 19:01:09 1060864 ----a-w- c:\windows\system32\MFC71.DLL 2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2009-12-05 02:50:16 22 --sha-w- c:\windows\sminst\HPCD.sys 2009-10-14 14:17:24 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat ============= FINISH: 20:16:56.90 =============== ark.zip Attach.zip

here is my malwarebytes log. seems ok. i ran defogger and got the 'finished' message but it did not ask me to reboot. is that because i'm in 'safe mode'. so, should i reboot and continue with the instructions which now say to run DDS? Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4140 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 5/24/2010 8:14:24 PM mbam-log-2010-05-24 (20-14-24).txt Scan type: Quick scan Objects scanned: 158709 Time elapsed: 10 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

can i do this in 'safe mode'? the slow behavior i mentioned just prevents me from working in normal mode. (and is there a way to transfer files safely without connecting the problem computer to the internet?)

one home laptop has started acting oddly for some days... boot starts normally but computer gets very very slow after user logs in; many hours to respond to single mouse click. so, as a precaution network connections have been disabled. this post from different computer. norton antivirus seems to be not working. restart in safe mode seems ok. while in safe mode, copied user files and more stuff to usb storage drive. firewalls off and can not enable. in safe mode, malwarebytes (virus def file is several months old, but that's what was on the machine) finds disabled.securitycenter. and fixed. but norton internet security still not working (says it will not run in safe mode). restart in normal mode and can enable windows firewall from 'control panel-security center'. security center says virus protection is enabled but norton internet security will not launch. hijackthis v 2.0.2, previously installed on machine. but i haven't run it yet. so, what to do? i would prefer not to connect that computer to internet. is there a way to safely transfer files to/from with a usb drive? and what do i do about the usb drive i connected to the computer to save user files and stuff? infected or not?

Here is the last MBAM log from yesterday after my post: Malwarebytes' Anti-Malware 1.41 Database version: 2815 Windows 5.1.2600 Service Pack 2 9/17/2009 11:37:32 PM mbam-log-2009-09-17 (23-37-32).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 203618 Time elapsed: 1 hour(s), 32 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Everything seems to be operating OK so far. There was an external hard drive that had been connected but is now shut off. Can I just reconnect that and scan it with MBAM, or is there a better way to do that?

Okay. Several cycles of MBAM, my AV and computer restarts finally produced a series of 'clean' scans. The automatic combifix removal did not work (a dialog box said something like program not found), so I manually discarded it and the folder you mentioned. I ran cccleaner and ran the online scan you suggested. Here is that log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=057595faf885a844af71727d95eb60c4 # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-09-18 01:25:39 # local_time=2009-09-17 09:25:39 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=3586 38 80 23 375292719691184 # scanned=128365 # found=0 # cleaned=0 # scan_time=4749 What's next?

new problems? I mentioned in my last post that i was running an antivirus scan. Though slow, it ran and found 'virusblast'. after a restart, I ran MBAM again (same version and definition set as before) and it now finds something new called rogue.multiple and roguepcvirusless in a registry key and registry values. (I am posting from a different computer and can not post the logs, but I will if you need). The computer has not been online except to post the previous logs and post to this topic. I'm a bit hesitant to go online and perform your scans especially since they require me to disable virus protection. Should I still do this? Or is there something else?

I will do these. But, there seems to be an additional problem. After I posted the logs, i ran MBAM 1.41 again. It found no threats. BUT, while it was running, my antivirus program automatically detected an active 'threat' and requested a restart to complete repair. I did this. I found it strange that MBAM did not detect a problem, so I am running a full scan again. It is now running very slowly. There is a process (ccSvcHst.exe) that is using a lot of memory and cpu as seen in the windows task manager. (I have seen this behavior from time to time). I will wait for this scan to complete and then do the tasks you list, unless there is something else to try.

OK. Here are the logs. there is the combofix log from some time ago, the latest mbam 1.41 (showing nothing) and a new hijackthis log run after the last mbam 1.41 i went online and downloaded mbam 1.41, updated it and ran it. it found trojan.agent and rootkit.tdss. (this seems strange because these things removed with a prior scan with mbam 1.40. don't know why they seem to have returned. let me know what to do next. Malwarebytes' Anti-Malware 1.41 Database version: 2803 Windows 5.1.2600 Service Pack 2 9/15/2009 12:36:11 PM mbam-log-2009-09-15 (12-36-11).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 189454 Time elapsed: 1 hour(s), 29 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:33:37 PM, on 9/15/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Dell\QuickSet\Quickset.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe C:\Program Files\Dell\Bluetooth Software\BTTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Common Files\Real\Update_OB\realevent.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user') O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user') O4 - .DEFAULT Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe (User 'Default user') O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156016043611 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 12675 bytes ComboFix 09-09-09.07 - phil 09/10/2009 18:02.1.1 - NTFSx86 Running from: c:\documents and settings\phil\Desktop\Combo-Fix.exe AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\-1260744873 c:\recycler\NPROTECT c:\recycler\NPROTECT\00000000.DAT c:\recycler\NPROTECT\00000001.DAT c:\recycler\NPROTECT\00000002 c:\recycler\NPROTECT\00000003 c:\recycler\NPROTECT\00000004 c:\recycler\NPROTECT\00000005 c:\recycler\NPROTECT\00000006 c:\recycler\NPROTECT\00000007 c:\recycler\NPROTECT\00000009 c:\recycler\NPROTECT\00000011 c:\recycler\NPROTECT\00000012 c:\recycler\NPROTECT\00000013 c:\recycler\NPROTECT\00000014 c:\recycler\NPROTECT\00000016 c:\recycler\NPROTECT\00000017 c:\recycler\NPROTECT\00000020.DAT c:\recycler\NPROTECT\00000021 c:\recycler\NPROTECT\00000022 c:\recycler\NPROTECT\00000023 c:\recycler\NPROTECT\00000024 c:\recycler\NPROTECT\00000025 c:\recycler\NPROTECT\00000026 c:\recycler\NPROTECT\00000027 c:\recycler\NPROTECT\00000029 c:\recycler\NPROTECT\00000030.DAT c:\recycler\NPROTECT\00000031 c:\recycler\NPROTECT\00000032 c:\recycler\NPROTECT\00000033 c:\recycler\NPROTECT\00000034 c:\recycler\NPROTECT\00000035 c:\recycler\NPROTECT\00000036 c:\recycler\NPROTECT\00000037 c:\recycler\NPROTECT\00000038 c:\recycler\NPROTECT\00000039 c:\recycler\NPROTECT\00000040 c:\recycler\NPROTECT\00000041 c:\recycler\NPROTECT\00000042 c:\recycler\NPROTECT\00000043 c:\recycler\NPROTECT\00000044 c:\recycler\NPROTECT\00000045 c:\recycler\NPROTECT\00000046 c:\recycler\NPROTECT\00000047 c:\recycler\NPROTECT\00000048 c:\recycler\NPROTECT\00000051 c:\recycler\NPROTECT\00000052 c:\recycler\NPROTECT\00000053 c:\recycler\NPROTECT\00000055 c:\recycler\NPROTECT\00000056 c:\recycler\NPROTECT\00000057 c:\recycler\NPROTECT\00000058 c:\recycler\NPROTECT\00000059 c:\recycler\NPROTECT\00000060 c:\recycler\NPROTECT\00000061 c:\recycler\NPROTECT\00000062 c:\recycler\NPROTECT\00000063 c:\recycler\NPROTECT\00000064 c:\recycler\NPROTECT\00000066 c:\recycler\NPROTECT\00000067 c:\recycler\NPROTECT\00000068 c:\recycler\NPROTECT\00000069 c:\recycler\NPROTECT\00000072 c:\recycler\NPROTECT\00000073 c:\recycler\NPROTECT\00000074 c:\recycler\NPROTECT\00000075 c:\recycler\NPROTECT\00000077 c:\recycler\NPROTECT\00000079 c:\recycler\NPROTECT\00000080 c:\recycler\NPROTECT\00000081 c:\recycler\NPROTECT\00000082 c:\recycler\NPROTECT\00000083 c:\recycler\NPROTECT\00000084 c:\recycler\NPROTECT\00000086 c:\recycler\NPROTECT\00000087 c:\recycler\NPROTECT\00000088 c:\recycler\NPROTECT\00000090 c:\recycler\NPROTECT\00000091 c:\recycler\NPROTECT\00000092 c:\recycler\NPROTECT\00000093 c:\recycler\NPROTECT\00000095 c:\recycler\NPROTECT\00000096 c:\recycler\NPROTECT\00000097 c:\recycler\NPROTECT\00000098 c:\recycler\NPROTECT\00000099 c:\recycler\NPROTECT\00000100 c:\recycler\NPROTECT\00000102 c:\recycler\NPROTECT\00000103 c:\recycler\NPROTECT\00000104 c:\recycler\NPROTECT\00000105 c:\recycler\NPROTECT\00000106 c:\recycler\NPROTECT\00000108 c:\recycler\NPROTECT\00000109 c:\recycler\NPROTECT\00000110 c:\recycler\NPROTECT\00000111 c:\recycler\NPROTECT\00000112 c:\recycler\NPROTECT\00000113 c:\recycler\NPROTECT\00000114 c:\recycler\NPROTECT\00000115 c:\recycler\NPROTECT\00000116 c:\recycler\NPROTECT\00000117 c:\recycler\NPROTECT\00000121 c:\recycler\NPROTECT\00000122.dat c:\recycler\NPROTECT\00000123.dat c:\recycler\NPROTECT\00000124 c:\recycler\NPROTECT\00000125 c:\recycler\NPROTECT\00000126 c:\recycler\NPROTECT\00000127 c:\recycler\NPROTECT\00000128 c:\recycler\NPROTECT\00000129 c:\recycler\NPROTECT\00000130 c:\recycler\NPROTECT\00000131 c:\recycler\NPROTECT\00000133 c:\recycler\NPROTECT\00000135.dat c:\recycler\NPROTECT\00000137 c:\recycler\NPROTECT\00000138.bat c:\recycler\NPROTECT\00000139 c:\recycler\NPROTECT\00000140 c:\recycler\NPROTECT\00000141 c:\recycler\NPROTECT\00000142 c:\recycler\NPROTECT\00000143 c:\recycler\NPROTECT\00000144 c:\recycler\NPROTECT\00000146 c:\recycler\NPROTECT\00000147 c:\recycler\NPROTECT\00000149 c:\recycler\NPROTECT\00000150 c:\recycler\NPROTECT\00000151 c:\recycler\NPROTECT\00000154 c:\recycler\NPROTECT\00000155 c:\recycler\NPROTECT\00000156 c:\recycler\NPROTECT\00000157 c:\recycler\NPROTECT\00000158 c:\recycler\NPROTECT\00000159 c:\recycler\NPROTECT\00000160 c:\recycler\NPROTECT\00000162 c:\recycler\NPROTECT\00000163 c:\recycler\NPROTECT\00000164 c:\recycler\NPROTECT\00000165 c:\recycler\NPROTECT\00000166 c:\recycler\NPROTECT\00000167 c:\recycler\NPROTECT\00000168 c:\recycler\NPROTECT\00000169 c:\recycler\NPROTECT\00000170 c:\recycler\NPROTECT\00000171 c:\recycler\NPROTECT\00000172 c:\recycler\NPROTECT\00000173 c:\recycler\NPROTECT\00000174 c:\recycler\NPROTECT\00000175 c:\recycler\NPROTECT\00000176 c:\recycler\NPROTECT\00000177 c:\recycler\NPROTECT\00000178 c:\recycler\NPROTECT\00000179 c:\recycler\NPROTECT\00000180 c:\recycler\NPROTECT\00000181 c:\recycler\NPROTECT\00000183 c:\recycler\NPROTECT\00000184 c:\recycler\NPROTECT\00000185 c:\recycler\NPROTECT\00000186 c:\recycler\NPROTECT\00000189 c:\recycler\NPROTECT\00000192.SYS c:\recycler\NPROTECT\00000193 c:\recycler\NPROTECT\00000194 c:\recycler\NPROTECT\00000195 c:\recycler\NPROTECT\00000196 c:\recycler\NPROTECT\00000197 c:\recycler\NPROTECT\00000198 c:\recycler\NPROTECT\00000199 c:\recycler\NPROTECT\00000200 c:\recycler\NPROTECT\00000201 c:\recycler\NPROTECT\00000202 c:\recycler\NPROTECT\00000203.dat c:\recycler\NPROTECT\00000204 c:\recycler\NPROTECT\00000205.bad c:\recycler\NPROTECT\00000206 c:\recycler\NPROTECT\00000207 c:\recycler\NPROTECT\00000208 c:\recycler\NPROTECT\00000209 c:\recycler\NPROTECT\00000210 c:\recycler\NPROTECT\00000216 c:\recycler\NPROTECT\00000218.md5 c:\recycler\NPROTECT\NPROTECT.LOG c:\windows\system32\drivers\fad.sys c:\windows\system32\drivers\UACwmhqklmnfo.sys c:\windows\system32\system c:\windows\system32\system\msxml4.dll c:\windows\system32\system\msxml4r.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACnoukvmkpkk.dll c:\windows\system32\UACpwwgqhvuiu.dll c:\windows\system32\UACrnjpvqqynx.dll c:\windows\system32\UACubkjdtqklt.dat c:\windows\system32\UACwjotalaicp.dll c:\windows\system32\wscsvc32.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 ))))))))))))))))))))))))))))))) . 2009-09-08 18:02 . 2009-09-08 18:02 -------- d-----w- c:\program files\Trend Micro 2009-09-07 01:03 . 2009-09-07 01:03 -------- d-----w- c:\documents and settings\phil\Application Data\Malwarebytes 2009-09-07 01:00 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-07 01:00 . 2009-09-07 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-07 01:00 . 2009-09-07 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-07 01:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-25 20:56 . 2009-08-25 20:56 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-25 20:56 . 2009-08-25 20:56 -------- d-----w- c:\program files\MSBuild 2009-08-25 20:56 . 2009-08-25 20:56 -------- d-----w- c:\program files\Reference Assemblies 2009-08-25 20:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-25 20:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-25 20:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-25 20:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-25 20:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-25 20:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-25 20:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-25 20:54 . 2009-08-25 20:55 -------- d-----w- C:\66b41c15ca8c7d686e66f55fe2fe3c 2009-08-25 20:53 . 2009-08-25 21:19 -------- d-----w- c:\windows\SxsCaPendDel 2009-08-25 20:45 . 2009-08-25 20:45 -------- d-----w- c:\program files\MSXML 6.0 2009-08-19 21:52 . 2009-08-19 21:52 -------- d-----w- c:\program files\MSXML 4.0 2009-08-18 13:48 . 2009-01-09 18:33 1848608 ----a-w- c:\windows\system32\acXMLParser.dll 2009-08-18 13:48 . 2009-01-09 18:33 3523872 ----a-w- c:\windows\system32\cdintf300.dll 2009-08-18 13:46 . 2009-08-18 13:56 -------- d-----w- c:\program files\Quicken 2009-08-18 13:03 . 2009-08-18 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-08-18 12:58 . 2009-08-18 12:58 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-10 22:20 . 2006-08-19 19:09 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-06 07:34 . 2006-08-19 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-02 13:01 . 2008-08-03 20:14 512 ----a-w- C:\drmHeader.bin 2009-08-25 22:04 . 2006-08-19 22:22 65664 ----a-w- c:\documents and settings\phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-24 00:30 . 2006-08-20 00:53 -------- d-----w- c:\program files\Norton SystemWorks 2009-08-18 13:49 . 2009-04-12 01:54 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0 2009-08-18 13:49 . 2006-08-19 17:30 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-05 09:11 . 2006-08-19 18:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 18:55 . 2003-07-16 16:18 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-15 12:25 . 2006-09-05 10:49 -------- d-----w- c:\documents and settings\phil\Application Data\Canon 2009-07-14 03:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2006-06-23 15:33 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-25 18:36 . 2003-07-16 16:29 471552 ----a-w- c:\windows\system32\mqutil.dll 2009-06-25 18:36 . 2003-07-16 16:29 48640 ----a-w- c:\windows\system32\mqupgrd.dll 2009-06-25 18:36 . 2003-07-16 16:29 186880 ----a-w- c:\windows\system32\mqtrig.dll 2009-06-25 18:36 . 2003-07-16 16:29 517120 ----a-w- c:\windows\system32\mqsnap.dll 2009-06-25 18:36 . 2003-07-16 16:29 95744 ----a-w- c:\windows\system32\mqsec.dll 2009-06-25 18:36 . 2003-07-16 16:29 177152 ----a-w- c:\windows\system32\mqrt.dll 2009-06-25 18:36 . 2003-07-16 16:29 123392 ----a-w- c:\windows\system32\mqrtdep.dll 2009-06-25 18:36 . 2003-07-16 16:29 661504 ----a-w- c:\windows\system32\mqqm.dll 2009-06-25 18:36 . 2003-07-16 16:29 225280 ----a-w- c:\windows\system32\mqoa.dll 2009-06-25 18:36 . 2003-07-16 16:28 47104 ----a-w- c:\windows\system32\mqdscli.dll 2009-06-25 18:36 . 2003-07-16 16:28 16896 ----a-w- c:\windows\system32\mqise.dll 2009-06-25 18:36 . 2003-07-16 16:28 138240 ----a-w- c:\windows\system32\mqad.dll 2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:44 . 2003-07-16 16:44 59392 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:44 . 2003-07-16 16:38 56320 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:44 . 2003-07-16 16:37 168448 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:44 . 2003-07-16 16:31 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:44 . 2003-07-16 16:26 724480 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-22 11:49 . 2003-07-16 16:29 117248 ----a-w- c:\windows\system32\mqtgsvc.exe 2009-06-22 11:49 . 2003-07-16 16:28 19968 ----a-w- c:\windows\system32\mqbkup.exe 2009-06-22 11:49 . 2003-07-16 16:29 4608 ----a-w- c:\windows\system32\mqsvc.exe 2009-06-22 11:48 . 2003-07-16 16:28 91776 ----a-w- c:\windows\system32\drivers\mqac.sys 2009-06-22 11:34 . 2003-07-16 16:26 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:55 . 2003-07-16 16:41 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:55 . 2003-07-16 16:22 82432 ----a-w- c:\windows\system32\fontsub.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-08-19 1003520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2003-06-20 368640] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248] "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-19 151597] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 294912] "AcctMgr"="c:\program files\Norton SystemWorks\Password Manager\AcctMgr.exe" [2004-08-18 586896] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248] "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 315392] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600] "BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880] "WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-07-01 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232] "ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-02 100032] c:\documents and settings\phil\Start Menu\Programs\Startup\ Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2007-2-4 103424] V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2005-11-30 327680] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-12-26 1697112] BTTray.lnk - c:\program files\Dell\Bluetooth Software\BTTray.exe [2003-7-2 393277] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-8-26 118784] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R2 HPFECP12;HPFECP12;c:\windows\system32\drivers\HPFecp12.sys [4/9/1999 8:26 AM 52800] R2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~2\NORTON~2\NPROTECT.EXE [11/24/2003 12:49 PM 81920] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2009 3:08 PM 102448] R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [3/9/2008 2:16 PM 11136] R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [3/9/2008 2:16 PM 37248] R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [8/19/2006 2:28 PM 92550] S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088] S3 LKNUCMP;Linksys Network USB Composite Device;c:\windows\system32\drivers\lknucmp.sys [3/9/2008 2:16 PM 11648] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] 2009-09-06 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - phil.job - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 05:38] 2009-09-04 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job - c:\program files\Norton SystemWorks\OBC.exe [2003-12-16 19:04] 2009-09-10 c:\windows\Tasks\Symantec Drmc.job - c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 08:48] 2009-09-10 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html Trusted Zone: turbotax.com . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-10 18:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(696) c:\windows\system32\Ati2evxx.dll c:\windows\system32\msv1_0.dll - - - - - - - > 'explorer.exe'(532) c:\windows\system32\WININET.dll c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\System32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . SystemRoot\System32\smss.exe [608] ??\c:\windows\system32\csrss.exe [664] ??\c:\windows\system32\winlogon.exe [696] c:\windows\system32\services.exe [740] c:\windows\system32\lsass.exe [752] c:\windows\system32\Ati2evxx.exe [948] c:\windows\system32\svchost.exe [976] c:\windows\system32\svchost.exe [1068] c:\windows\System32\svchost.exe [1108] c:\windows\system32\svchost.exe [1152] c:\windows\System32\svchost.exe [1260] c:\windows\system32\svchost.exe [1288] c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [1356] c:\windows\system32\Ati2evxx.exe [1528] c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe [1840] c:\windows\system32\spoolsv.exe [380] c:\windows\system32\CF3736.exe [460] c:\windows\System32\SCardSvr.exe [600] c:\windows\System32\svchost.exe [1244] c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1536] c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [1720] c:\program files\Dell\QuickSet\Quickset.exe [1800] c:\windows\BCMSMMSG.exe [1820] c:\program files\Apoint\Apoint.exe [1836] c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [1864] c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe [1888] c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [1900] c:\program files\Common Files\Real\Update_OB\realsched.exe [1904] c:\windows\system32\dla\tfswctrl.exe [1064] c:\program files\Common Files\Dell\EUSW\Support.exe [1940] c:\program files\Norton SystemWorks\Password Manager\AcctMgr.exe [2012] c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe [2020] c:\program files\Common Files\Symantec Shared\ccApp.exe [2032] c:\windows\system32\WDBtnMgr.exe [2052] c:\program files\Bonjour\mDNSResponder.exe [2144] c:\program files\Apoint\Apntex.exe [2204] c:\program files\iTunes\iTunesHelper.exe [2212] c:\program files\Java\jre6\bin\jusched.exe [2260] c:\program files\Messenger\msmsgs.exe [2276] c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2292] c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe [2300] c:\program files\Dell\Bluetooth Software\bin\btwdins.exe [2316] c:\program files\Java\jre6\bin\jqs.exe [2420] c:\progra~1\NORTON~2\NORTON~2\NPROTECT.EXE [2484] c:\progra~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE [2524] c:\windows\System32\svchost.exe [2572] c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2592] c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2692] c:\windows\System32\wltrysvc.exe [2704] c:\program files\Dell\Bluetooth Software\BTTray.exe [2708] c:\program files\WinZip\WZQKPICK.EXE [2792] c:\windows\System32\bcmwltry.exe [2804] c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2824] c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2860] c:\program files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2896] c:\windows\system32\wbem\wmiprvse.exe [3688] c:\windows\system32\wbem\wmiprvse.exe [3764] c:\program files\iPod\bin\iPodService.exe [3752] c:\windows\System32\wbem\wmiapsrv.exe [3940] c:\windows\system32\wuauclt.exe [1660] c:\windows\System32\alg.exe [880] c:\windows\explorer.exe [532] c:\combo-fix\catchme.cfxxe [428] . ************************************************************************** . Completion time: 2009-09-10 18:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-10 22:30 Pre-Run: 12,736,557,056 bytes free Post-Run: 16,255,135,744 bytes free 484 --- E O F --- 2009-09-04 19:41

Sorry. Yes, I am still here. And an apology for my earlier anxious post. I didn't mean to offend. The infected computer is off the network by my choice. I am concerned at keeping it online with a connection to the internet. I guess I'll just have to take a chance and and try to go online based on your response to my previous query about a flash drive. (relatedly, as an aside, is there a way to scan a wireless router, modem, etc for infections?) What has been done so far: Based on your original reply: I ran MBAM (v 1.40) several times which removed some stuff but left the trojan.agent uacinit.dll problem. i will post the last log (and previous ones if you like). I ran hijackthis and have a log to post. I ran Combofix but since I did not have a recovery console installed, it said it might not attempt to fix some serious problems. I have the log for that. Combofix seemed to reenable my antivirus program so I ran that and it found and removed Packed.Generic.200 and Trojan.metajuan problems. I ran hijackthis again and have a log. Next Steps: I would like to install a recovery console and rerun combofix but I have an old windows installation disk that is not compatable with service pack 2. I need to find a newer windows install disk. I will download and run MBAM 1.41 as you request. Many thanks for your help and patience.

Sorry to start a new topic. My original post is topic 23974 in this forum. I want to post HJT and ComboFix logs in response to advancedsetup, but i have a question before i can do so. The question is in my earlier post(s), but I haven't gotten an answer back in the past day or so. Can I transfer the logs from the infected computer, which is off network, to a flash drive and then move that flash drive to a clean computer to upload to this forum? Does this risk infecting the clean computer? Is there a way around this dilemma? If someone can answer this for me, I can post the requested logs. THANKS

Is this thread still active, or do i need to start a new one? not sure what to do next. thanks.