virus help please

[dmueller375]

Hi, we use Comcast as our ISP, they provide Norton as av protection. Somehow on our family computer a virus made it through the Norton protection, and opened a backdoor trojan and other problems, including redirecting google searches and blocking access to windows update. I tried using Nortons customer service, and let's just say I was very unsatisfied. I came accros your website, and after reading some similar forums downloaded and ran combofix. I'm not sure where to go from here, please help. Thank you.

ComboFix 10-05-15.03 - Karen 05/16/2010 7:51.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2134 [GMT -5:00]

Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dave\g2mdlhlpx.exe

c:\documents and settings\Dave\GoToAssistDownloadHelper.exe

c:\documents and settings\HelpAssistant\g2mdlhlpx.exe

c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe

c:\documents and settings\HelpAssistant\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\documents and settings\Kate\Application Data\FunWebProducts

c:\documents and settings\Kate\Application Data\FunWebProducts\Data\Kate\avatar.dat

c:\documents and settings\Kate\Application Data\FunWebProducts\Data\Kate\register.dat

c:\documents and settings\Kate\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\program files\INSTALL.LOG

c:\program files\Internet Explorer\SET3B4.tmp

c:\program files\seekmo

c:\program files\seekmo\seekmo_gdf.dat

c:\program files\seekmo\seekmo_hpk.dat

c:\program files\seekmo\seekmo_kyf.dat

c:\program files\seekmo\seekmoau.dat

c:\windows\system32\comrepl.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))

.

2010-05-16 12:51 . 2010-05-16 12:51 -------- d-----w- c:\documents and settings\Karen\Local Settings\Application Data\Symantec

2010-05-15 13:45 . 2010-05-15 13:45 -------- d-sh--w- c:\documents and settings\Administrator.FAMILY\PrivacIE

2010-05-15 04:55 . 2010-05-15 04:55 -------- d-----w- c:\documents and settings\Administrator.FAMILY\Local Settings\Application Data\Symantec

2010-05-13 17:55 . 2010-05-13 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-12 20:27 . 2010-05-13 17:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-12 20:27 . 2010-05-12 20:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-05-11 23:35 . 2010-05-11 23:35 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\ukoahkbnu

2010-05-11 23:35 . 2010-05-11 23:35 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\olyxhvdag

2010-05-11 23:26 . 2010-05-11 23:26 -------- d-sh--w- c:\documents and settings\Administrator.FAMILY\IETldCache

2010-05-06 02:30 . 2010-05-06 02:30 -------- d-----w- c:\documents and settings\HelpAssistant\Freeze Tag

2010-05-04 23:38 . 2010-05-04 23:38 -------- d---a-w- c:\program files\Norton Support

2010-05-04 23:37 . 2010-05-04 23:37 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\Symantec

2010-05-04 23:37 . 2010-05-04 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS

2010-05-04 23:37 . 2010-05-11 19:55 -------- d-----w- c:\documents and settings\HelpAssistant\UserData

2010-05-04 23:13 . 2010-05-16 13:04 -------- d-----w- c:\documents and settings\HelpAssistant

2010-04-29 21:21 . 2010-04-29 21:21 -------- d-----w- c:\program files\iPod

2010-04-29 21:12 . 2010-04-29 21:12 -------- d-----w- c:\program files\Bonjour

2010-04-29 21:10 . 2010-04-29 21:10 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-29 15:46 . 2010-04-29 15:47 -------- d-----w- c:\program files\Masquerade Mysteries - The Case of the Copycat Curator

2010-04-16 17:29 . 2010-04-16 17:29 503808 ----a-w- c:\documents and settings\Celia\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68e4d6ea-n\msvcp71.dll

2010-04-16 17:29 . 2010-04-16 17:29 61440 ----a-w- c:\documents and settings\Celia\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a35dce6-n\decora-sse.dll

2010-04-16 17:29 . 2010-04-16 17:29 499712 ----a-w- c:\documents and settings\Celia\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68e4d6ea-n\jmc.dll

2010-04-16 17:29 . 2010-04-16 17:29 348160 ----a-w- c:\documents and settings\Celia\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68e4d6ea-n\msvcr71.dll

2010-04-16 17:29 . 2010-04-16 17:29 12800 ----a-w- c:\documents and settings\Celia\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a35dce6-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-16 12:20 . 2007-01-17 18:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-13 14:21 . 2004-05-05 13:50 -------- d-----w- c:\program files\Symantec

2010-04-30 04:23 . 2010-04-09 20:08 -------- d-----w- c:\program files\iTunes

2010-04-29 21:27 . 2010-04-07 02:22 -------- d-----w- c:\documents and settings\Kate\Application Data\Azureus

2010-04-29 21:21 . 2007-12-27 17:48 -------- d-----w- c:\program files\Common Files\Apple

2010-04-29 21:14 . 2007-04-15 21:03 -------- d-----w- c:\documents and settings\Kate\Application Data\Apple Computer

2010-04-12 03:09 . 2004-05-08 14:38 85584 -c--a-w- c:\documents and settings\Celia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-10 18:48 . 2010-04-10 18:48 -------- d-----w- c:\documents and settings\Karen\Application Data\Apple Computer

2010-04-09 20:09 . 2010-04-09 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-07 02:42 . 2010-04-07 02:41 -------- d-----w- c:\program files\QuickTime

2010-04-07 02:31 . 2010-04-07 02:31 4141117 ----a-w- c:\documents and settings\Kate\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe

2010-04-07 02:31 . 2010-04-07 02:30 7282688 ----a-w- c:\documents and settings\Kate\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe

2010-04-07 02:22 . 2010-04-07 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2010-04-07 02:21 . 2010-04-07 02:21 -------- d-----w- c:\program files\Vuze

2010-04-04 13:44 . 2010-04-04 13:44 61440 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb0ba81-n\decora-sse.dll

2010-04-04 13:44 . 2010-04-04 13:44 503808 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a6fb00a-n\msvcp71.dll

2010-04-04 13:44 . 2010-04-04 13:44 499712 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a6fb00a-n\jmc.dll

2010-04-04 13:44 . 2010-04-04 13:44 348160 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a6fb00a-n\msvcr71.dll

2010-04-04 13:44 . 2010-04-04 13:44 12800 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb0ba81-n\decora-d3d.dll

2010-04-03 23:38 . 2004-07-14 18:55 -------- d-----w- c:\program files\Common Files\Java

2010-04-03 23:32 . 2010-04-03 23:32 503808 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6debc0d6-n\msvcp71.dll

2010-04-03 23:32 . 2010-04-03 23:32 499712 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6debc0d6-n\jmc.dll

2010-04-03 23:32 . 2010-04-03 23:32 348160 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6debc0d6-n\msvcr71.dll

2010-04-03 23:32 . 2010-04-03 23:32 12800 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14fe8ed0-n\decora-d3d.dll

2010-04-03 23:32 . 2010-04-03 23:32 61440 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14fe8ed0-n\decora-sse.dll

2010-04-03 23:32 . 2004-05-05 13:28 -------- d-----w- c:\program files\Java

2010-03-30 17:13 . 2010-03-30 17:12 -------- d-----w- c:\program files\Zuma Deluxe

2010-03-30 16:09 . 2010-03-30 16:09 -------- d-----w- c:\documents and settings\Kate\Application Data\QB9

2010-03-30 16:09 . 2010-03-30 16:07 -------- d-----w- c:\program files\Doors of the Mind - Inner Mysteries

2010-03-30 15:55 . 2010-03-30 15:55 -------- d-----w- c:\documents and settings\Kate\Application Data\Merscom

2010-03-30 15:55 . 2009-11-11 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom

2010-03-30 15:54 . 2010-03-30 15:53 -------- d-----w- c:\program files\Alice in Wonderland

2010-03-30 15:51 . 2008-09-16 20:02 -------- d-----w- c:\program files\bfgclient

2010-03-30 15:51 . 2010-03-30 15:50 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe

2010-03-26 19:46 . 2010-02-02 23:26 -------- d-----w- c:\program files\Safari

2010-03-26 19:03 . 2010-03-26 19:03 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

2010-03-16 00:36 . 2004-05-08 04:17 85584 -c--a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-14 19:44 . 2004-05-08 14:23 85584 -c--a-w- c:\documents and settings\Kate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-12 19:58 . 2010-03-12 19:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-03-12 19:58 . 2010-03-12 19:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-03-12 19:58 . 2010-03-13 21:53 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-03-12 19:58 . 2010-03-13 21:53 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

2010-03-12 19:58 . 2010-03-13 21:53 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys

2010-03-12 19:58 . 2010-03-13 21:53 308272 ----a-w- c:\windows\system32\drivers\srtsp.sys

2010-03-12 19:58 . 2010-03-12 19:58 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-03-12 19:58 . 2010-03-13 21:53 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys

2010-03-12 19:58 . 2010-03-13 21:53 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys

2010-03-12 19:58 . 2008-01-29 17:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-03-12 19:58 . 2008-01-29 17:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 09:28 . 2008-12-04 18:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-01 01:51 . 2009-09-24 19:23 65028 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-25 06:24 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 14:10 . 1980-01-01 05:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 1980-01-01 05:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2008-09-29 19:18 . 2006-11-08 23:30 328 ----a-w- c:\program files\LRHA.QBW.ND

2008-09-29 19:18 . 2006-11-08 23:30 196608 ----a-r- c:\program files\LRHA.QBW.TLG

2008-09-29 19:18 . 2006-11-08 23:29 16916480 ----a-r- c:\program files\LRHA.QBW

2001-09-28 23:00 . 2007-06-14 22:08 164864 ----a-w- c:\program files\UNWISE.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-4-23 7168]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-5 24576]

Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2007-3-18 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2007-10-10 00:57 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

2007-03-16 12:51 715888 ----a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

2006-05-24 00:53 208941 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=

"c:\\WINDOWS\\system32"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"5878:TCP"= 5878:TCP:Services

"5879:TCP"= 5879:TCP:Services

"3389:TCP"= 3389:TCP:Remote Desktop

"5421:TCP"= 5421:TCP:Services

"9342:TCP"= 9342:TCP:Services

"9993:TCP"= 9993:TCP:Services

"9994:TCP"= 9994:TCP:Services

"9665:TCP"= 9665:TCP:Services

"9666:TCP"= 9666:TCP:Services

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [3/13/2010 4:51 PM 117640]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 2:06 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/13/2010 4:54 PM 102448]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [?]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys [?]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys [?]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [5/9/2010 11:55 AM 329592]

S3 cdiskdun;cdiskdun;\??\c:\docume~1\Celia\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\Celia\LOCALS~1\Temp\cdiskdun.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-15 c:\windows\Tasks\User_Feed_Synchronization-{C44E6475-8385-4B3B-9338-BB2EDA7DD622}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar =

uInternet Settings,ProxyOverride = localhost;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

SafeBoot-mcmscsvc

SafeBoot-MCODS

MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-16 08:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A7EDA28]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> 0x8a7eda28

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615

ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615

ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x8a4bc5c0

PacketIndicateHandler -> NDIS.sys @ 0xf7426a0d

SendHandler -> NDIS.sys @ 0xf743ab40

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x0DF83CBD

malicious code @ sector 0x0DF83CC0 !

PE file found in sector at 0x0DF83CD6 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

Completion time: 2010-05-16 08:09:07

ComboFix-quarantined-files.txt 2010-05-16 13:09

Pre-Run: 36,760,702,976 bytes free

Post-Run: 37,337,214,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 37B3F77705CFFF6EDF845E10286AF929

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[dmueller375]

Hi Elise,

My daughter was on a song lyric site when a fake av notice popped up, she clicked no on the "scan" but it ran anyway, she exited out but apparently it ran long enough to infect our pc. I was out of town so the computer ran several days infected. She was unable to go online from her section, for others google searches were redirected and ms update was unaccessable. We use Norton Security Suite for AV protection, I ran several scans a the following viruses were detected and "fixed": Boot.mebroot, W32.Unruy.A, Trojan.FakeAv, and Backdoor.trojan. Our firewall was blocking backdoor.tide2 from accessing the pc. I ran ComboFix, which helped but I realized I do not have the expertise to complete this task.

I'm sending this from a clean pc, I've run OTL on the infected PC, GMER is running now and once it's done I'll send those logs.

Thanks for your help,

Dave

[Elise]

Hi Dave, thanks for letting me know. Take your time to get the logs

To prevent infecting your clean computer if you need to transfer logs, please use flash disinfector.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  
• Wait until it has finished scanning and then exit the program.
  
• Reboot your computer when done.
  

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

[dmueller375]

OTL logfile created on: 5/17/2010 9:04:17 AM - Run 2

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Karen\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.72 Gb Total Space | 34.45 Gb Free Space | 30.84% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: FAMILY

Current User Name: Karen

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/17 08:39:58 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\Desktop\OTL.exe

PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/03/12 14:58:07 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/08/27 12:12:28 | 001,082,664 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\ezi_hnm2.exe

PRC - [2007/08/27 10:36:34 | 000,111,912 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe

PRC - [2007/03/15 11:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe

PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

PRC - [2004/04/30 13:08:26 | 002,393,088 | ---- | M] (Cisco Linksys Corporation) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe

PRC - [2004/02/06 22:56:14 | 000,041,025 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

PRC - [2003/10/29 02:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe

PRC - [2003/06/18 09:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe

PRC - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ScsiAccess.EXE

PRC - [2002/10/16 20:20:20 | 000,073,728 | ---- | M] () -- C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

========== Modules (SafeList) ==========

MOD - [2010/05/17 08:39:58 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\Desktop\OTL.exe

MOD - [2010/03/12 14:57:54 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\3.8.0.41\asOEHook.dll

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx

MOD - [2002/08/29 05:00:00 | 000,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SERWVDRV.DLL

MOD - [2002/08/29 05:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\UMDMXFRM.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- -- (WUSB54Gv2SVC)

SRV - File not found [On_Demand | Stopped] -- -- (MSSQLServerADHelper)

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/03/12 14:58:07 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe -- (N360)

SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)

SRV - [2008/03/18 16:52:32 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2007/08/27 10:36:34 | 000,111,912 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)

SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

SRV - [2006/11/09 18:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2004/11/02 17:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe -- (SymWSC)

SRV - [2003/06/18 09:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe -- (KodakCCS)

SRV - [2003/03/03 13:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

SRV - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\ScsiAccess.EXE -- (ScsiAccess)

========== Driver Services (SafeList) ==========

DRV - [2010/05/11 03:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100516.025\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/05/11 03:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100516.025\NAVENG.SYS -- (NAVENG)

DRV - [2010/03/12 14:58:22 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)

DRV - [2010/03/12 14:58:10 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymEFA.sys -- (SymEFA)

DRV - [2010/03/12 14:58:10 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\srtsp.sys -- (SRTSP)

DRV - [2010/03/12 14:58:10 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys -- (SYMTDI)

DRV - [2010/03/12 14:58:10 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)

DRV - [2010/03/12 14:58:10 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\srtspx.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2010/03/12 14:58:10 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIMMP)

DRV - [2010/03/12 14:58:10 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIM)

DRV - [2010/03/12 14:58:10 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)

DRV - [2010/03/12 14:58:10 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)

DRV - [2010/03/12 14:58:09 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BHDrvx86.sys -- (BHDrvx86)

DRV - [2010/03/12 12:44:26 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/03/12 12:44:26 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/10/28 17:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys -- (IDSxpx86)

DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)

DRV - [2006/12/18 18:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\packet.sys -- (Packet)

DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2006/08/11 21:42:42 | 003,958,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)

DRV - [2004/10/10 21:15:11 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)

DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)

DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)

DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)

DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)

DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)

DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)

DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)

DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)

DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)

DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)

DRV - [2004/04/23 22:43:00 | 000,374,752 | ---- | M] (Cisco-Linksys, LLC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WUSBGXP.sys -- (PRISM_A02)

DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)

DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)

DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\GTNDIS5.sys -- (GTNDIS5)

DRV - [2003/08/06 01:04:00 | 000,100,373 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)

DRV - [2003/08/06 01:04:00 | 000,098,068 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)

DRV - [2003/08/06 01:04:00 | 000,083,284 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)

DRV - [2003/08/06 01:04:00 | 000,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)

DRV - [2003/08/06 01:04:00 | 000,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)

DRV - [2003/08/06 01:04:00 | 000,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)

DRV - [2003/08/06 01:04:00 | 000,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)

DRV - [2003/08/06 01:04:00 | 000,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)

DRV - [2003/08/06 01:04:00 | 000,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)

DRV - [2003/07/31 03:21:00 | 000,084,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)

DRV - [2003/07/14 11:28:40 | 000,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)

DRV - [2003/07/14 11:28:22 | 000,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)

DRV - [2003/06/20 02:56:00 | 000,040,448 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)

DRV - [2003/06/18 09:53:08 | 000,138,485 | ---- | M] (Eastman Kodak Company) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ExportIt.sys -- (Exportit)

DRV - [2003/06/18 09:53:08 | 000,063,002 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcPtp.sys -- (DcPTP)

DRV - [2003/06/18 09:53:08 | 000,061,568 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcFpoint.sys -- (DcFpoint)

DRV - [2003/06/18 09:53:08 | 000,038,997 | ---- | M] (Eastman Kodak Company) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DCFS2k.sys -- (DCFS2K)

DRV - [2003/06/18 09:53:08 | 000,036,826 | ---- | M] (Eastman Kodak Company) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcCam.sys -- (DcCam)

DRV - [2003/06/18 09:53:08 | 000,008,058 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcLps.sys -- (DcLps)

DRV - [2002/11/08 13:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)

DRV - [2002/10/15 22:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\sonypvs1.sys -- (sonypvs1)

DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)

DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)

DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)

DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)

DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)

DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)

DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)

DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)

DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)

DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)

DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)

DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)

DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)

DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)

DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)

DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

DRV - [2000/03/29 17:11:20 | 000,008,096 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MASPINT.SYS -- (MASPINT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/27 11:51:35 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2002/08/29 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk = C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (MSN Games

[Elise]

Please rerun OTL, make sure under "Extra Registry" Use Safelist is ticked and rerun the scan. This will create extra.txt; post this as well.

[dmueller375]

OTL runs ok with the extra text. Once the GMER scan is complete I can't save GMER results due to low system resources. I am away from the infected pc until Friday.

[Elise]

Hello, thanks for letting me know, please take your time

Please post me extra.txt and try to run GMER with only the Sections option checked. If that doesn't work as well, just let me know, I've a pretty good idea what has infected your computer, but I'd like GMER to confirm that.

[dmueller375]

OTL Extras logfile created on: 5/18/2010 6:11:36 AM - Run 4

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Karen\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.72 Gb Total Space | 36.20 Gb Free Space | 32.40% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: FAMILY

Current User Name: Karen

Logged in as Administrator.

Current Boot Mode: SafeMode

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"65533:TCP" = 65533:TCP:*:Enabled:Services

"52344:TCP" = 52344:TCP:*:Enabled:Services

"5878:TCP" = 5878:TCP:*:Enabled:Services

"5879:TCP" = 5879:TCP:*:Enabled:Services

"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

"5421:TCP" = 5421:TCP:*:Enabled:Services

"9342:TCP" = 9342:TCP:*:Enabled:Services

"9993:TCP" = 9993:TCP:*:Enabled:Services

"9994:TCP" = 9994:TCP:*:Enabled:Services

"9665:TCP" = 9665:TCP:*:Enabled:Services

"9666:TCP" = 9666:TCP:*:Enabled:Services

"3881:TCP" = 3881:TCP:*:Enabled:Services

"6262:TCP" = 6262:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"10421:UDP" = 10421:UDP:*:Enabled:SingleClick Discovery Protocol

"10426:UDP" = 10426:UDP:*:Enabled:SingleClick ICC

"65533:TCP" = 65533:TCP:*:Enabled:Services

"52344:TCP" = 52344:TCP:*:Enabled:Services

"5878:TCP" = 5878:TCP:*:Enabled:Services

"5879:TCP" = 5879:TCP:*:Enabled:Services

"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

"5421:TCP" = 5421:TCP:*:Enabled:Services

"9342:TCP" = 9342:TCP:*:Enabled:Services

"9993:TCP" = 9993:TCP:*:Enabled:Services

"9994:TCP" = 9994:TCP:*:Enabled:Services

"9665:TCP" = 9665:TCP:*:Enabled:Services

"9666:TCP" = 9666:TCP:*:Enabled:Services

"3881:TCP" = 3881:TCP:*:Enabled:Services

"6262:TCP" = 6262:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\WINDOWS\SYSTEM32\mmc.exe" = C:\WINDOWS\SYSTEM32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)

"C:\WINDOWS\system32" = C:\WINDOWS\system32:*:Enabled:lockx -- [2010/05/18 03:06:17 | 000,000,000 | ---D | M]

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)

"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)

"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe" = C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant -- (SingleClick Systems)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze -- (Vuze Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier

"{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}" = aspi

"{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant

"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager

"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD

"{1526D87C-A955-4FAB-BF18-697BA457E352}" = Norton WMI Update

"{1B4AA674-F5CA-4BB5-831A-CD37B4021959}" = ImageMixer for Sony

"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 19

"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com

"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime

"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005

"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9

"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10

"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11

"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1

"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java 6 Update 2

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{40C03514-89C3-41BA-0090-3B440256DB87}" = The Sims 2

"{410438A3-B591-4028-B70A-3CC0B33FBCD1}" =

"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2

"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer

"{469730CC-78DF-4CD3-B286-562D459EA619}" = ESSCAM

"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets

"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement

"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows

"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel

"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support

"{55584E16-4D70-44EE-93DD-F144E8B7D4B7}" = QuickBooks Product Listing Service

"{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}" = Image Transfer

"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3

"{58D92B58-1BE9-4DE4-AE88-ACB205D75B63}" = PDFlib 4.0.1

"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service

"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver

"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = Sonic MyDVD

"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide

"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69BD6399-3D8F-45B7-81D9-819361F5101D}" = PCDLNCH

"{6BDD9CE6-D0A6-478A-BAD3-BA6945E89EB0}" = The Sims 2 Family Fun Stuff

"{7148F0A8-6813-11D6-A77B-00B0D0142040}" = Java 2 Runtime Environment, SE v1.4.2_04

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7BF68B83-5057-4D4B-0093-28285EEB9EE3}" = Harry Potter II

"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English

"{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2007

"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport

"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper

"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11318463}" = Secrets of Great Art

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113606753}" = Monopoly

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115056617}" = Eye for Design

"{84DDE556-43EF-43ed-B2DF-37AF9E5DDD75}" = The Sims

[Elise]

Hi, well done

Now lets start straighten things out here. Your Combofix log shows you had a rootkit that was fixed, however OTL shows signs of another rootkit. This can be fixed, but please be aware of the following.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

Close out all other open programs and windows.

Double click the file to run it and follow any prompts.

If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.

Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

[dmueller375]

C:\Documents and Settings\Karen\Desktop\HelpAsst_mebroot_fix.exe

Sat 05/22/2010 at 6:32:47.25

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes

Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove

termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key

closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

"65533:TCP"=-

"52344:TCP"=-

"5878:TCP"=-

"5879:TCP"=-

"3389:TCP"=-

"5421:TCP"=-

"9342:TCP"=-

"9993:TCP"=-

"9994:TCP"=-

"9665:TCP"=-

"9666:TCP"=-

"3881:TCP"=-

"6262:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key

closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

"65533:TCP"=-

"52344:TCP"=-

"5878:TCP"=-

"5879:TCP"=-

"3389:TCP"=-

"5421:TCP"=-

"9342:TCP"=-

"9993:TCP"=-

"9994:TCP"=-

"9665:TCP"=-

"9666:TCP"=-

"3881:TCP"=-

"6262:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2056517334-3818234146-3613033903-1008

HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove

~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\atapi -> 0x8a8126a8

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x8a4975c0

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x0DF83CBD

malicious code @ sector 0x0DF83CC0 !

PE file found in sector at 0x0DF83CD6 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\atapi -> 0x8a8126a8

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x8a4975c0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

copy of MBR has been found in sector 0x0DF83CBD

malicious code @ sector 0x0DF83CC0 !

PE file found in sector at 0x0DF83CD6 !

Use "Recovery Console" command "fixmbr" to clear infection !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/22/2010 at 7:25:45.60

Account active No

Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x0DF83CBD

malicious code @ sector 0x0DF83CC0 !

PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

[Elise]

That is looking good

Now lets rerun Combofix. Be sure to delete any old copy you might still have and download a new one.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[dmueller375]

ComboFix 10-05-21.06 - Karen 05/22/2010 9:39.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2082 [GMT -5:00]

Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))

.

2010-05-22 11:32 . 2010-05-22 11:32 -------- d-----w- C:\HelpAsst_backup

2010-05-16 12:51 . 2010-05-16 12:51 -------- d-----w- c:\documents and settings\Karen\Local Settings\Application Data\Symantec

2010-05-15 13:45 . 2010-05-15 13:45 -------- d-sh--w- c:\documents and settings\Administrator.FAMILY\PrivacIE

2010-05-15 04:55 . 2010-05-15 04:55 -------- d-----w- c:\documents and settings\Administrator.FAMILY\Local Settings\Application Data\Symantec

2010-05-13 17:55 . 2010-05-13 17:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-12 20:27 . 2010-05-13 17:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-12 20:27 . 2010-05-12 20:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-05-11 23:35 . 2010-05-11 23:35 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\ukoahkbnu

2010-05-11 23:35 . 2010-05-11 23:35 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\olyxhvdag

2010-05-11 23:26 . 2010-05-11 23:26 -------- d-sh--w- c:\documents and settings\Administrator.FAMILY\IETldCache

2010-05-04 23:38 . 2010-05-04 23:38 -------- d---a-w- c:\program files\Norton Support

2010-05-04 23:37 . 2010-05-04 23:37 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\Symantec

2010-04-29 21:21 . 2010-04-29 21:21 -------- d-----w- c:\program files\iPod

2010-04-29 21:12 . 2010-04-29 21:12 -------- d-----w- c:\program files\Bonjour

2010-04-29 21:10 . 2010-04-29 21:10 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-29 15:46 . 2010-04-29 15:47 -------- d-----w- c:\program files\Masquerade Mysteries - The Case of the Copycat Curator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-22 14:21 . 2007-01-17 18:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-13 14:21 . 2004-05-05 13:50 -------- d-----w- c:\program files\Symantec

2010-04-30 04:23 . 2010-04-09 20:08 -------- d-----w- c:\program files\iTunes

2010-04-29 21:27 . 2010-04-07 02:22 -------- d-----w- c:\documents and settings\Kate\Application Data\Azureus

2010-04-29 21:21 . 2007-12-27 17:48 -------- d-----w- c:\program files\Common Files\Apple

2010-04-29 21:14 . 2007-04-15 21:03 -------- d-----w- c:\documents and settings\Kate\Application Data\Apple Computer

2010-04-10 18:48 . 2010-04-10 18:48 -------- d-----w- c:\documents and settings\Karen\Application Data\Apple Computer

2010-04-09 20:09 . 2010-04-09 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-07 02:42 . 2010-04-07 02:41 -------- d-----w- c:\program files\QuickTime

2010-04-07 02:31 . 2010-04-07 02:31 4141117 ----a-w- c:\documents and settings\Kate\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe

2010-04-07 02:31 . 2010-04-07 02:30 7282688 ----a-w- c:\documents and settings\Kate\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe

2010-04-07 02:22 . 2010-04-07 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2010-04-07 02:21 . 2010-04-07 02:21 -------- d-----w- c:\program files\Vuze

2010-04-04 13:44 . 2010-04-04 13:44 61440 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb0ba81-n\decora-sse.dll

2010-04-04 13:44 . 2010-04-04 13:44 503808 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a6fb00a-n\msvcp71.dll

2010-04-04 13:44 . 2010-04-04 13:44 499712 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a6fb00a-n\jmc.dll

2010-04-04 13:44 . 2010-04-04 13:44 348160 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a6fb00a-n\msvcr71.dll

2010-04-04 13:44 . 2010-04-04 13:44 12800 ----a-w- c:\documents and settings\Kate\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb0ba81-n\decora-d3d.dll

2010-04-03 23:38 . 2004-07-14 18:55 -------- d-----w- c:\program files\Common Files\Java

2010-04-03 23:32 . 2010-04-03 23:32 503808 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6debc0d6-n\msvcp71.dll

2010-04-03 23:32 . 2010-04-03 23:32 499712 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6debc0d6-n\jmc.dll

2010-04-03 23:32 . 2010-04-03 23:32 348160 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6debc0d6-n\msvcr71.dll

2010-04-03 23:32 . 2010-04-03 23:32 12800 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14fe8ed0-n\decora-d3d.dll

2010-04-03 23:32 . 2010-04-03 23:32 61440 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14fe8ed0-n\decora-sse.dll

2010-04-03 23:32 . 2004-05-05 13:28 -------- d-----w- c:\program files\Java

2010-03-30 17:13 . 2010-03-30 17:12 -------- d-----w- c:\program files\Zuma Deluxe

2010-03-30 16:09 . 2010-03-30 16:09 -------- d-----w- c:\documents and settings\Kate\Application Data\QB9

2010-03-30 16:09 . 2010-03-30 16:07 -------- d-----w- c:\program files\Doors of the Mind - Inner Mysteries

2010-03-30 15:55 . 2010-03-30 15:55 -------- d-----w- c:\documents and settings\Kate\Application Data\Merscom

2010-03-30 15:55 . 2009-11-11 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom

2010-03-30 15:54 . 2010-03-30 15:53 -------- d-----w- c:\program files\Alice in Wonderland

2010-03-30 15:51 . 2008-09-16 20:02 -------- d-----w- c:\program files\bfgclient

2010-03-30 15:51 . 2010-03-30 15:50 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe

2010-03-26 19:46 . 2010-02-02 23:26 -------- d-----w- c:\program files\Safari

2010-03-26 19:03 . 2010-03-26 19:03 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

2010-03-16 00:36 . 2004-05-08 04:17 85584 -c--a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-14 19:44 . 2004-05-08 14:23 85584 -c--a-w- c:\documents and settings\Kate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-12 19:58 . 2010-03-12 19:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-03-12 19:58 . 2010-03-12 19:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-03-12 19:58 . 2010-03-13 21:53 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-03-12 19:58 . 2010-03-13 21:53 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

2010-03-12 19:58 . 2010-03-13 21:53 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys

2010-03-12 19:58 . 2010-03-13 21:53 308272 ----a-w- c:\windows\system32\drivers\srtsp.sys

2010-03-12 19:58 . 2010-03-12 19:58 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-03-12 19:58 . 2010-03-13 21:53 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys

2010-03-12 19:58 . 2010-03-13 21:53 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys

2010-03-12 19:58 . 2008-01-29 17:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-03-12 19:58 . 2008-01-29 17:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 09:28 . 2008-12-04 18:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-01 01:51 . 2009-09-24 19:23 65028 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-25 06:24 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2008-09-29 19:18 . 2006-11-08 23:30 328 ----a-w- c:\program files\LRHA.QBW.ND

2008-09-29 19:18 . 2006-11-08 23:30 196608 ----a-r- c:\program files\LRHA.QBW.TLG

2008-09-29 19:18 . 2006-11-08 23:29 16916480 ----a-r- c:\program files\LRHA.QBW

2001-09-28 23:00 . 2007-06-14 22:08 164864 ----a-w- c:\program files\UNWISE.EXE

.

((((((((((((((((((((((((((((( SnapShot@2010-05-16_13.05.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-22 14:11 . 2010-05-22 14:11 16384 c:\windows\Temp\Perflib_Perfdata_768.dat

+ 2010-05-22 14:10 . 2010-05-22 14:10 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat

+ 2004-05-05 13:44 . 2010-05-18 08:44 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2004-06-07 19:19 . 2008-04-11 19:04 691712 c:\windows\SYSTEM32\inetcomm.dll

+ 2004-06-07 19:19 . 2010-01-29 15:01 691712 c:\windows\SYSTEM32\inetcomm.dll

+ 2008-08-12 18:28 . 2010-01-29 15:01 691712 c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll

- 2008-08-12 18:28 . 2008-04-11 19:04 691712 c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll

+ 2004-05-05 13:44 . 2010-05-18 08:44 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2004-05-05 13:44 . 2010-05-18 08:44 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2004-05-05 13:44 . 2010-04-14 15:42 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2009-08-12 01:36 . 2009-07-10 13:27 1315328 c:\windows\SYSTEM32\DLLCACHE\msoe.dll

+ 2009-08-12 01:36 . 2010-01-29 15:01 1315328 c:\windows\SYSTEM32\DLLCACHE\msoe.dll

+ 2009-10-16 23:07 . 2009-10-16 23:07 6115328 c:\windows\Installer\1534bb0.msp

+ 2010-04-21 22:46 . 2010-04-21 22:46 5522432 c:\windows\Installer\13193ca.msp

+ 2005-05-11 12:43 . 2010-04-30 18:51 32058312 c:\windows\SYSTEM32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-4-23 7168]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-5 24576]

Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2007-3-18 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2007-10-10 00:57 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

2007-03-16 12:51 715888 ----a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

2006-05-24 00:53 208941 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=

"c:\\WINDOWS\\system32"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [3/13/2010 4:51 PM 117640]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 2:06 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/13/2010 4:54 PM 102448]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [?]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys [?]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys [?]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100513.002\IDSXpx86.sys [5/21/2010 6:05 PM 329592]

S3 cdiskdun;cdiskdun;\??\c:\docume~1\Celia\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\Celia\LOCALS~1\Temp\cdiskdun.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{C44E6475-8385-4B3B-9338-BB2EDA7DD622}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar =

uInternet Settings,ProxyOverride = localhost;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-22 09:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1228)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-05-22 10:01:10

ComboFix-quarantined-files.txt 2010-05-22 15:01

ComboFix2.txt 2010-05-16 13:09

Pre-Run: 35,614,257,152 bytes free

Post-Run: 35,570,520,064 bytes free

- - End Of File - - CE3C2185B435433952DC874F140B2C78

[Elise]

Hello, thats looking fine now How are things running?

P2P WARNING

-------------------

Going over your logs I noticed that you have Vuze installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

[dmueller375]

Thank you sooooo much Elise!!! I've been afraid to do much, but it seems fine. I uninstalled Vuze, not sure what that was used for, I'll ask my kids. Wow, the old versions of Java took up a lot of space, thanks for that tip. My Norton AV program seems to be messed up, I'll play with that later, I wanted to run Malwarebytes before I fully reinstated Norton.

Here is the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4131

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/22/2010 9:15:14 PM

mbam-log-2010-05-22 (21-15-14).txt

Scan type: Full scan (C:\|)

Objects scanned: 501908

Time elapsed: 2 hour(s), 22 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 12

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6c092742-10fe-4db2-988d-fc71948de70c} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{dd469a88-316c-441d-b712-783d9b9a6707} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e43dfaa6-8c16-4519-b022-8792408505a4} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{d28cd14c-50be-4cfa-951e-b37f25da3472} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Dave\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001920.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

[dmueller375]

One other problem persists. When signed in under user name Kate, which is where the initial infection occured, a box pops up. One the top is Just in Time Debugging, then An exception 'Runtime Error' has occured. Possible debugger, and highlighted is: New instance of Microsoft Script Editor. A box is checked in front of the line, Set the currently selected debugger as the default, and then at the bottom, Do you want to debug using the selected debugger? and finally, a yes and a no button.

When I click no and proceed, I am unable to access the internet through explorer. I'm nervous about debugging this issue that arrived at the same time as the infection.

What shoud I do?

Dave

[dmueller375]

When I sign out of user name Kate I get the msg WUSB54Gv2.exe - application error. Click ok to terminate the program, which is what I do, or click on cancel to debug the program.

[Elise]

Hi, this file is related to your Wireless Network Monitor. Reinstalling your Linksys Wireless Network software will most likely correct this issue.

Let me know if you are able to do this.

[dmueller375]

Hi Elise, hope all is well with you,

I uninstalled and reinstalled Norton to make it work right.

Using the disk that came with Linksys I tried to reinstall, but it made me stop because I was already contected to the internet. I went to add/remove programs and removed the only linksys program, for the wireless adapter, which we don't use as this pc is cable conected to our router. I can ping and recieve pings back under user name Kate, but still cannont connect with explorer. It's not urgent as all other users connect just fine, but I would like to figure it out.

All other aspects of the pc work as good or better / faster than before. Thank you again!!

I will again be leaving later today and will not return to this computer until Friday.

Dave

[Elise]

Hi, can you please rerun an OTL scan, but now when you are logged in into the Kate account.

Make sure you check the All Users box and click Run Scan.

Post me the resulting log please.

[dmueller375]

OTL logfile created on: 5/24/2010 1:29:31 PM - Run 5

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Karen\My Documents

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.72 Gb Total Space | 33.06 Gb Free Space | 29.59% Space Free | Partition Type: NTFS

Drive D: | 124.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: FAMILY

Current User Name: Kate

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/17 08:39:58 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\My Documents\OTL.exe

PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/02/25 18:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccsvchst.exe

PRC - [2009/05/21 10:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe

PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/08/27 10:36:34 | 000,111,912 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe

PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

PRC - [2003/10/29 02:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe

PRC - [2003/06/18 09:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe

PRC - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ScsiAccess.EXE

PRC - [2002/10/16 20:20:20 | 000,073,728 | ---- | M] () -- C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

========== Modules (SafeList) ==========

MOD - [2010/05/17 08:39:58 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karen\My Documents\OTL.exe

MOD - [2010/03/26 18:52:36 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.1.0.32\asoehook.dll

MOD - [2009/07/12 03:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.1.0.32\microsoft.vc90.crt\msvcr90.dll

MOD - [2009/07/12 03:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.1.0.32\microsoft.vc90.crt\msvcp90.dll

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (MSSQLServerADHelper)

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/02/25 18:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe -- (N360)

SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)

SRV - [2008/03/18 16:52:32 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2007/08/27 10:36:34 | 000,111,912 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)

SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

SRV - [2006/11/09 18:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2004/11/02 17:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe -- (SymWSC)

SRV - [2003/06/18 09:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe -- (KodakCCS)

SRV - [2003/03/03 13:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

SRV - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\ScsiAccess.EXE -- (ScsiAccess)

========== Driver Services (SafeList) ==========

DRV - [2010/05/22 21:57:48 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)

DRV - [2010/05/22 01:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100524.002\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/05/22 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/05/22 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010/05/22 01:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100524.002\NAVENG.SYS -- (NAVENG)

DRV - [2010/04/29 12:44:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)

DRV - [2010/02/26 21:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0401000.020\Ironx86.SYS -- (SymIRON)

DRV - [2010/02/26 21:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0401000.020\SRTSP.SYS -- (SRTSP)

DRV - [2010/02/26 21:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0401000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2010/02/25 18:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0401000.020\ccHPx86.sys -- (ccHP)

DRV - [2009/11/26 01:41:48 | 000,172,592 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0401000.020\SYMEFA.SYS -- (SymEFA)

DRV - [2009/11/21 19:43:48 | 000,362,032 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0401000.020\SYMTDI.SYS -- (SYMTDI)

DRV - [2009/11/16 19:51:14 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100513.002\IDSXpx86.sys -- (IDSxpx86)

DRV - [2009/10/14 22:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0401000.020\SYMDS.SYS -- (SymDS)

DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)

DRV - [2006/12/18 18:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\packet.sys -- (Packet)

DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2006/08/11 21:42:42 | 003,958,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)

DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)

DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)

DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)

DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)

DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)

DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)

DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)

DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)

DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)

DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)

DRV - [2004/04/23 22:43:00 | 000,374,752 | ---- | M] (Cisco-Linksys, LLC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WUSBGXP.sys -- (PRISM_A02)

DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)

DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)

DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\GTNDIS5.sys -- (GTNDIS5)

DRV - [2003/08/06 01:04:00 | 000,100,373 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)

DRV - [2003/08/06 01:04:00 | 000,098,068 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)

DRV - [2003/08/06 01:04:00 | 000,083,284 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)

DRV - [2003/08/06 01:04:00 | 000,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)

DRV - [2003/08/06 01:04:00 | 000,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)

DRV - [2003/08/06 01:04:00 | 000,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)

DRV - [2003/08/06 01:04:00 | 000,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)

DRV - [2003/08/06 01:04:00 | 000,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)

DRV - [2003/08/06 01:04:00 | 000,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)

DRV - [2003/07/31 03:21:00 | 000,084,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)

DRV - [2003/07/14 11:28:40 | 000,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)

DRV - [2003/07/14 11:28:22 | 000,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)

DRV - [2003/06/20 02:56:00 | 000,040,448 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)

DRV - [2003/06/18 09:53:08 | 000,138,485 | ---- | M] (Eastman Kodak Company) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ExportIt.sys -- (Exportit)

DRV - [2003/06/18 09:53:08 | 000,063,002 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcPtp.sys -- (DcPTP)

DRV - [2003/06/18 09:53:08 | 000,061,568 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcFpoint.sys -- (DcFpoint)

DRV - [2003/06/18 09:53:08 | 000,038,997 | ---- | M] (Eastman Kodak Company) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DCFS2k.sys -- (DCFS2K)

DRV - [2003/06/18 09:53:08 | 000,036,826 | ---- | M] (Eastman Kodak Company) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcCam.sys -- (DcCam)

DRV - [2003/06/18 09:53:08 | 000,008,058 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\DcLps.sys -- (DcLps)

DRV - [2002/11/08 13:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)

DRV - [2002/10/15 22:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\sonypvs1.sys -- (sonypvs1)

DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)

DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)

DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)

DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)

DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)

DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)

DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)

DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)

DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)

DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)

DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)

DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)

DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)

DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)

DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)

DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

DRV - [2000/03/29 17:11:20 | 000,008,096 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MASPINT.SYS -- (MASPINT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/05/23 23:09:58 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/05/22 21:58:36 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2002/08/29 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coieplg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ipsbho.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coieplg.dll (Symantec Corporation)

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coieplg.dll (Symantec Corporation)

O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk = C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (MSN Games

[Elise]

Hi there,

I believe I might have found the culprit here

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox. Do not include the word "Code"
   

   :otl
   IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
   IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
   IE - HKU\S-1-5-21-2056517334-3818234146-3613033903-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
   
   :commands
   [emptytemp]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

[Elise]

Hello, are you still there?

[dmueller375]

Hi Elise,

It depends on what you mean by "here", lol. I'm working away from the the infecteted / cleaned pc, I should be back to try your latest fix in the next 2 or 3 days. I appreciate your help and will certainly let you know the outcomes / post the results as requested.

Hope your day is great!

Dave

[Elise]

Thanks for letting me know Dave. Its no problem if you need more time, just let me know