Hi There,

Something's got me, I just don't know what it is. Attached is the gmerlog, and the dds log.

Half of the time, the computer will not boot up with a blue screen and an error message of: STOP c000021a {fatal system error}

Also, when it does boot up, there are numerous boxes that appear on my machine that tell me there is an error with a file, and asks me if I want to send to Microsoft Support (looks like normal error message, 'send error report' or 'do not send report' at the bottom)(numerous files, always changing, but have been sptcmd.exe, winampa.exe, adobearm.exe, nkcmd.exe, dsca.exe, ipoint.exe, syntpench.exe, sttray.exe, wltray.exe, aestfltr.exe, apoint.exe).

Once I clear all the boxes, it then allows me to somewhat use the computer normally, however, I cannot go to any site with Microsoft Update, and I get fake Google results and banking pages popping up. The Microsoft Phishing Filter also pops up on the screen - I've never seen this ever previous (computer about a year old), and it happens every single time I boot up now (and did so again as I was typing this message).

Thanks for your assistance!

DDS LOG:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Craig at 15:28:54.17 on Thu 05/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2073 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
Executable.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Craig\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tsn.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PMA_ENT] c:\program files\antimalware pro\AntiMalwarePro.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249057888609
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100429.001\IDSXpx86.sys [2010-5-3 329592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-25 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100506.005\NAVENG.SYS [2010-5-6 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100506.005\NAVEX15.SYS [2010-5-6 1324720]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-7-25 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-7-25 41760]

=============== Created Last 30 ================

2010-05-06 02:32:45 0 d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:21:11 0 d-----w- c:\docume~1\craig\applic~1\AVP 2009
2010-05-06 02:21:04 0 d-----w- c:\program files\AntiMalware Pro
2010-05-06 02:16:28 0 d-----w- c:\program files\Panda Security
2010-05-05 23:43:03 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43:03 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:42:57 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42:57 8192 ----a-w- c:\windows\system32\drivers\changer.sys

==================== Find3M ====================

2010-05-06 12:03:13 94208 ----a-w- c:\windows\DUMP7a7f.tmp
2010-05-06 01:12:08 94208 ----a-w- c:\windows\DUMP4de1.tmp
2010-05-05 23:43:26 56766 ----a-w- c:\windows\system32\wltray.exe
2010-05-05 23:43:25 56766 ----a-w- c:\windows\system32\igfxpers.exe
2010-05-05 23:43:24 56766 ----a-w- c:\windows\system32\hkcmd.exe
2010-05-05 23:43:22 56766 ----a-w- c:\windows\system32\aestfltr.exe
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 15:29:59.23 ===============

Hello nexus_99,

• Welcome to Bleeping Computer.
  
• My name is fireman4it and I will be helping you with your Malware problem.
  
  Please take note of some guidelines for this fix:
  
• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  
• Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

2.
Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4


• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  
• If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Close any open windows, including this one.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• If you did not have it installed, you will see the prompt below. Choose YES.
• 
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

Hi Fireman4it:

Thanks so much for your speedy reply, and all of your help.

I did as you requested, log pasted below. Interesting things to note:

1) Phishing filter popped up as soon as I transferred Combofix from pen drive (clean computer to infected one)
2) A new internet explorer icon has appeared on my desktop. It definately was note there before (underneath combofix)
3) I now have a note that says 'Internet Explorer is not currently your default browser. Would you like to make it your default browser? with a checkbox that says 'Always perform this check when starting Internet Explorer'. There is no, and has never been, a different internet browser on this machine.
4) Just as I finished typing that, the checkbox has appeared on it's own, and the message is now flashing on my screen.
5) My Norton Internet Security has just popped up as well, it says 'SONAR Advanced protection failed to load' 'Click here to go to Norton Technical Support Knowledge Base... (3 dots are actually present). In the bottom corner, it has the numbers 3039,1, and then the OK box.

Won't use the machine until you tell me it's okay to, so I can't tell you if it's running better. Please let me know if you require a reboot, and if I'm to surf the web, do I use my usual IE icon or the new one?

Thanks again!

************************************************
COMBOFIX LOG:

ComboFix 10-05-06.01 - Craig 05/06/2010 23:01:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2643 [GMT -4:00]
Running from: c:\documents and settings\Craig\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
c:\program files\Dell Support Center\bin\sprtcmd.exe
c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
c:\program files\DellTPad\Apoint.exe
c:\program files\IDT\WDM\sttray.exe
c:\program files\Microsoft IntelliPoint\ipoint.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Winamp\winampa.exe
c:\windows\system32\aestfltr .exe
c:\windows\system32\aestfltr.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxpers.exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\wltray .exe
c:\windows\system32\wltray.exe

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-04-07 to 2010-05-07 )))))))))))))))))))))))))))))))
.

2010-05-07 02:58 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVENG.SYS
2010-05-07 02:58 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVEX15.SYS
2010-05-07 02:58 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVENG32.DLL
2010-05-07 02:58 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVEX32A.DLL
2010-05-07 02:58 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\CCERASER.DLL
2010-05-07 02:58 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\ECMSVR32.DLL
2010-05-07 02:58 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\EECTRL.SYS
2010-05-07 02:58 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\ERASER.SYS
2010-05-06 02:32 . 2010-05-06 02:32 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:21 . 2010-05-06 02:22 -------- d-----w- c:\documents and settings\Craig\Application Data\AVP 2009
2010-05-06 02:21 . 2010-05-06 02:27 -------- d-----w- c:\program files\AntiMalware Pro
2010-05-06 02:16 . 2010-05-06 12:06 -------- d-----w- c:\program files\Panda Security
2010-05-06 01:47 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search
2010-05-06 01:45 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-05 23:43 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:43 . 2010-05-06 03:15 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\potqafkja
2010-05-05 23:42 . 2010-05-06 03:15 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\fbbrylwpi
2010-05-05 23:42 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-04 19:55 . 2010-05-04 19:57 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\knmfnjivs
2010-05-04 01:03 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSvix86.sys
2010-05-04 01:03 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys
2010-05-04 01:03 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\Scxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSviA64.sys
2010-04-30 15:22 . 2010-04-30 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-04-27 02:52 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSvix86.sys
2010-04-27 02:52 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSXpx86.sys
2010-04-27 02:52 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\Scxpx86.dll
2010-04-27 02:52 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSxpx86.dll
2010-04-27 02:52 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSviA64.sys
2010-04-27 02:42 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 03:04 . 2009-08-01 18:49 -------- d-----w- c:\program files\Winamp
2010-05-07 03:04 . 2009-08-01 16:23 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-05-07 03:04 . 2009-07-25 08:26 -------- d-----w- c:\program files\DellTPad
2010-05-07 02:50 . 2009-07-31 19:44 5892 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-05-06 22:14 . 2009-07-25 04:20 94208 ----a-w- c:\windows\DUMP3122.tmp
2010-05-06 13:08 . 2009-07-31 16:25 -------- d-----w- c:\program files\Google
2010-05-06 12:06 . 2009-12-30 17:35 -------- d-----w- c:\program files\Quick Hit
2010-05-06 12:03 . 2009-07-25 04:20 94208 ----a-w- c:\windows\DUMP7a7f.tmp
2010-05-06 01:12 . 2009-07-25 04:20 94208 ----a-w- c:\windows\DUMP4de1.tmp
2010-04-29 19:39 . 2009-12-30 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-30 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 14:50 . 2009-08-01 18:46 -------- d-----w- c:\documents and settings\Craig\Application Data\LimeWire
2010-03-03 00:59 . 2010-03-03 00:59 544768 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client.dll
2010-03-03 00:59 . 2010-03-03 00:59 22016 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 626440 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer.exe
2010-03-03 00:58 . 2010-03-03 00:57 599304 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Controller.exe
2010-03-03 00:57 . 2010-03-03 00:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-03-03 00:57 . 2010-03-03 00:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"PMA_ENT"="c:\program files\AntiMalware Pro\AntiMalwarePro.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [N/A]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [N/A]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [N/A]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [N/A]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [N/A]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [N/A]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 8:06 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/25/2009 12:23 AM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [7/25/2009 12:23 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [7/25/2009 12:23 AM 41760]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys [5/3/2010 9:03 PM 329592]
.
Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 23:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-06 23:06:30
ComboFix-quarantined-files.txt 2010-05-07 03:06

Pre-Run: 215,076,007,936 bytes free
Post-Run: 215,757,262,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B04812C9B96765BD5B01E4D969072E84

Hello,


Some Antivirus and Antimalware products will pick Combofix up as a Virus or Trojan


This is strange maybe the Malware has something to do with this.


The malware could have tricked or altered the Internet Explorer settings. Lets finish making sure your machine is all clean then see what happens.


Did you Disable Norton prior to running Combofix,as describe in my previous post? This could be why it gave you that warning or Once again it could be the Malware. This type of Infection will infect System file along with other products files.
If this continues you may have to uninstall and reinstall Norton.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

Hi Fireman4it,

Once again, thanks for your help. I did disable Norton as per the last set of instructions (I followed the link and disabled it for 5 hours).

I also disabled it for this round, although several Norton messages popped up during the running of Combofix - not sure if it's real or not (one of them recommended I turn off the Windows firewall).

Again, not using the computer to do anything other than your instructions, so not sure how it is running. Combofix has rebooted it twice or three times now - no more blue screen and refusal to boot, which I assume is good.

New Norton Internet Security box is up now "Auto-Protect experienced an unexpected error. Error Code: 0x000003E8. Click here to go to the Norton Technical Support Knowledge Base...", numbers in the bottom left now read 3035,6.

************************************************

Combofix2 Log:

ComboFix 10-05-06.01 - Craig 05/07/2010 20:04:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2573 [GMT -4:00]
Running from: c:\documents and settings\Craig\Desktop\ComboFix.exe
Command switches used :: e:\11111\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\Craig\Application Data\AVP 2009"
"c:\documents and settings\Craig\Local Settings\Application Data\fbbrylwpi"
"c:\documents and settings\Craig\Local Settings\Application Data\potqafkja"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntiMalware Pro
c:\program files\AntiMalware Pro\definitions\200901.cab
c:\program files\AntiMalware Pro\definitions\200902.cab
c:\program files\AntiMalware Pro\definitions\200903.cab
c:\program files\AntiMalware Pro\definitions\200904.cab
c:\program files\AntiMalware Pro\definitions\200905.cab
c:\program files\AntiMalware Pro\definitions\20090601.cab
c:\program files\AntiMalware Pro\definitions\20090602.cab
c:\program files\AntiMalware Pro\definitions\20090603.cab
c:\program files\AntiMalware Pro\definitions\20090706.cab
c:\program files\AntiMalware Pro\definitions\20090714.cab
c:\program files\AntiMalware Pro\definitions\20090721.cab
c:\program files\AntiMalware Pro\definitions\20090729.cab
c:\program files\AntiMalware Pro\definitions\20090805.cab
c:\program files\AntiMalware Pro\definitions\20090819.cab
c:\program files\AntiMalware Pro\definitions\20090901.cab
c:\program files\AntiMalware Pro\definitions\20090921.cab
c:\program files\AntiMalware Pro\definitions\20091006.cab
c:\program files\AntiMalware Pro\definitions\20091023.cab
c:\program files\AntiMalware Pro\definitions\20091104.cab
c:\program files\AntiMalware Pro\definitions\20091114.cab
c:\program files\AntiMalware Pro\definitions\20091130.cab
c:\program files\AntiMalware Pro\definitions\20091218.cab
c:\program files\AntiMalware Pro\definitions\20091231.cab
c:\program files\AntiMalware Pro\definitions\20100118.cab
c:\program files\AntiMalware Pro\definitions\20100130.cab
c:\program files\AntiMalware Pro\definitions\20100212.cab
c:\program files\AntiMalware Pro\definitions\20100302.cab
c:\program files\AntiMalware Pro\definitions\20100323.cab
c:\program files\AntiMalware Pro\definitions\20100416.cab

.
((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 03:11 . 2010-05-07 03:11 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\Symantec
2010-05-07 02:58 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVENG.SYS
2010-05-07 02:58 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVEX15.SYS
2010-05-07 02:58 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVENG32.DLL
2010-05-07 02:58 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\NAVEX32A.DLL
2010-05-07 02:58 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\CCERASER.DLL
2010-05-07 02:58 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\ECMSVR32.DLL
2010-05-07 02:58 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\EECTRL.SYS
2010-05-07 02:58 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100506.025\ERASER.SYS
2010-05-06 02:32 . 2010-05-06 02:32 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:21 . 2010-05-06 02:22 -------- d-----w- c:\documents and settings\Craig\Application Data\AVP 2009
2010-05-06 02:16 . 2010-05-06 12:06 -------- d-----w- c:\program files\Panda Security
2010-05-06 01:47 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search
2010-05-06 01:45 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-05 23:43 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:43 . 2010-05-06 03:15 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\potqafkja
2010-05-05 23:42 . 2010-05-06 03:15 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\fbbrylwpi
2010-05-05 23:42 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-04 19:55 . 2010-05-04 19:57 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\knmfnjivs
2010-05-04 01:03 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSvix86.sys
2010-05-04 01:03 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys
2010-05-04 01:03 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\Scxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSviA64.sys
2010-04-30 15:22 . 2010-04-30 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-04-27 02:52 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSvix86.sys
2010-04-27 02:52 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSXpx86.sys
2010-04-27 02:52 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\Scxpx86.dll
2010-04-27 02:52 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSxpx86.dll
2010-04-27 02:52 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100422.002\IDSviA64.sys
2010-04-27 02:42 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 00:04 . 2009-08-01 18:49 -------- d-----w- c:\program files\Winamp
2010-05-08 00:04 . 2009-08-01 16:23 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-05-08 00:04 . 2009-07-25 08:26 -------- d-----w- c:\program files\DellTPad
2010-05-07 23:59 . 2009-07-31 19:44 5892 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-05-06 22:14 . 2009-07-25 04:20 94208 ----a-w- c:\windows\DUMP3122.tmp
2010-05-06 13:08 . 2009-07-31 16:25 -------- d-----w- c:\program files\Google
2010-05-06 12:06 . 2009-12-30 17:35 -------- d-----w- c:\program files\Quick Hit
2010-05-06 12:03 . 2009-07-25 04:20 94208 ----a-w- c:\windows\DUMP7a7f.tmp
2010-05-06 01:12 . 2009-07-25 04:20 94208 ----a-w- c:\windows\DUMP4de1.tmp
2010-04-29 19:39 . 2009-12-30 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-30 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 14:50 . 2009-08-01 18:46 -------- d-----w- c:\documents and settings\Craig\Application Data\LimeWire
2010-03-03 00:59 . 2010-03-03 00:59 544768 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client.dll
2010-03-03 00:59 . 2010-03-03 00:59 22016 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 626440 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer.exe
2010-03-03 00:58 . 2010-03-03 00:57 599304 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Controller.exe
2010-03-03 00:57 . 2010-03-03 00:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-03-03 00:57 . 2010-03-03 00:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-07_03.05.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 00:08 . 2010-05-08 00:08 16384 c:\windows\Temp\Perflib_Perfdata_3d8.dat
+ 2010-05-08 00:08 . 2010-05-08 00:08 16384 c:\windows\Temp\Perflib_Perfdata_3a8.dat
- 2008-04-25 16:16 . 2010-05-07 03:05 80032 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2010-05-07 03:07 80032 c:\windows\system32\perfc009.dat
- 2009-07-31 15:57 . 2010-05-07 03:04 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-31 15:57 . 2010-05-08 00:04 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-31 15:57 . 2010-05-08 00:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-07-31 15:57 . 2010-05-07 03:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-25 16:16 . 2010-05-07 03:05 466982 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2010-05-07 03:07 466982 c:\windows\system32\perfh009.dat
+ 2009-07-31 15:57 . 2010-05-08 00:04 4128768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-31 15:57 . 2010-05-07 03:04 4128768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 8:06 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/25/2009 12:23 AM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [7/25/2009 12:23 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [7/25/2009 12:23 AM 41760]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys [5/3/2010 9:03 PM 329592]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AESTFltr - c:\windows\system32\AESTFltr.exe
HKLM-Run-HotKeysCmds - c:\windows\system32\hkcmd.exe
HKLM-Run-Broadcom Wireless Manager UI - c:\windows\system32\WLTRAY.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-07 20:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\system volume information\Whistler\svchost.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\system volume information\Whistler\smss.exe
c:\drivers\audio\r211990\stacsv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wscript.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Windows Live\Toolbar\wltuser.exe
.
**************************************************************************
.
Completion time: 2010-05-07 20:10:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-08 00:10
ComboFix2.txt 2010-05-07 03:06

Pre-Run: 215,772,340,224 bytes free
Post-Run: 215,728,451,584 bytes free

- - End Of File - - E26892E79B5BE97F38823EB95798FBFB

Hello,

Everything on your logs looks good. lets do some more checking to make sure you are clean.


Please read here about your error and what to do.

1.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.

Download Link 1
Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply::
MBAM log
ESET log
A new DDS log
How is your machine running now?

Many thanks, Fireman4it.

Unfortunately, we are not clean.

As you started your message with 'Everything on your logs looks good', I decided to simply use the infected computer to go to bleepingcomputer.com to download the links directly to the desktop (everything previous has been done on clean machines to infected machine via pendrive).

As soon as I opened IE, the message for it not being my default browser popped up; www.bleepingcomputer.com did not open correctly, and as soon as I got there, the pop-ups started, telling me that my computer has signs of viruses and click here to clean it up now, etc. There were about four pop-ups that occured, asking if I wanted to navigate away from this page to remain infected, etc.

So, I'm back to a clean computer, the infected computer is back in quarantine - no virus spreading for him!

MBAM found nothing (scanned from both the infected machine, and also from the pendrive); ESET found lots. Please see logs:

***********************************************
MBAM - infected computer:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4077

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/8/2010 8:21:37 AM
mbam-log-2010-05-08 (08-21-37).txt

Scan type: Quick scan
Objects scanned: 123849
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


*********************************************************
MBAM Log - pendrive:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4077

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/8/2010 8:35:29 AM
mbam-log-2010-05-08 (08-35-29).txt

Scan type: Quick scan
Objects scanned: 123700
Time elapsed: 2 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


***********************************************

ESET Log:

C:\Documents and Settings\Craig\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-6059648c a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Dell Support Center\bin\sprtcmd.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Dell Support Center\gs_agent\custom\dsca.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\DellTPad\apoint.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\IDT\WDM\sttray.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Microsoft IntelliPoint\ipoint.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Synaptics\SynTP\syntpenh.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Winamp\winampa.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\aestfltr.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxpers.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wltray.exe.vir Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\acpiec.sys.vir Win32/Patched.EQ trojan deleted - quarantined
C:\System Volume Information\Whistler\smss.exe a variant of Win32/TrojanDownloader.Unruy.AV trojan cleaned by deleting (after the next restart) - quarantined
C:\System Volume Information\Whistler\svchost.exe a variant of Win32/TrojanDownloader.Unruy.BM trojan cleaned by deleting (after the next restart) - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP164\A0029754.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0030189.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0030192.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034298.sys Win32/Patched.EQ trojan deleted - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034339.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034340.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034341.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034342.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034343.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034344.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034345.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034346.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034348.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034351.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034353.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP165\A0034356.exe Win32/TrojanDownloader.Unruy.BO trojan cleaned by deleting - quarantined

Uh-oh, now there is trouble:

Upon reboot, Windows XP is now asking me to type in my password. There is no password on my computer, never has been. I'm locked out.

PLEASE HELP!!

A further reboot, and I'm back in, didn't ask me for a password this time. But I'm never turning off the machine again ;)

Thanks again, Fireman4it!

Hello,

MBAm and Eset found nothing that I'm worried about.
If your still having the redirects lets post a new DDS log and new Gmer log
Lets flush your DNS first and see if that helps with the redirects.

• Go to Start -> Control Panel -> Network and Internet Connection ->Network Connections.
  
• Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click on the Properties option.
  
• Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".
  
• Click OK twice.
  spacer.gif
  
• Go to Start -> Run...
  
• In the Open: field type cmd and click OK or hit Enter.
  This will open a Command Prompt.
  
• At the DOS prompt screen, type in ipconfig /flushdns and then press Enter (notice the space between "ipconfig" and "/flushdns").
  
• Exit the Command Prompt.
  
• Reboot your PC and try to open any website.

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.




How are you connected to the internet?
Router, modem, wireless?

Hello Fireman4it,

As always, thank you so much for your quick responses. I cannot wait to have this computer back up online (actually, using the infected machine now as I don't have access to the clean ones)

For the vast majority of the time, I connect to the internet via LAN (wired) into dumb router. However, the other 10% of the time, it's wireless (through same router).

DDS and GMER logs posted, ATTACH log attached.

***********************************************

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Craig at 14:28:03.17 on Sat 05/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2525 [GMT -4:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

Executable.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Craig\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249057888609
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-25 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-7-25 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-7-25 41760]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\symefa.sys --> c:\windows\system32\drivers\nis\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\bhdrvx86.sys --> c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys --> c:\windows\system32\drivers\nis\1008000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100505.001\IDSXpx86.sys [2010-5-8 329592]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100507.038\NAVENG.SYS [2010-5-8 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100507.038\NAVEX15.SYS [2010-5-8 1324720]

=============== Created Last 30 ================

2010-05-08 12:48:23 0 d-----w- c:\program files\ESET
2010-05-08 12:45:47 0 d-----r- c:\program files\Norton Support
2010-05-07 02:57:51 0 d-sha-r- C:\cmdcons
2010-05-07 02:55:44 98816 ----a-w- c:\windows\sed.exe
2010-05-07 02:55:44 77312 ----a-w- c:\windows\MBR.exe
2010-05-07 02:55:44 256512 ----a-w- c:\windows\PEV.exe
2010-05-07 02:55:44 161792 ----a-w- c:\windows\SWREG.exe
2010-05-06 02:32:45 0 d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:21:11 0 d-----w- c:\docume~1\craig\applic~1\AVP 2009
2010-05-06 02:16:28 0 d-----w- c:\program files\Panda Security
2010-05-05 23:43:03 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43:03 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:42:57 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42:57 8192 ----a-w- c:\windows\system32\drivers\changer.sys

==================== Find3M ====================

2010-05-06 22:14:09 94208 ----a-w- c:\windows\DUMP3122.tmp
2010-05-06 12:03:13 94208 ----a-w- c:\windows\DUMP7a7f.tmp
2010-05-06 01:12:08 94208 ----a-w- c:\windows\DUMP4de1.tmp
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 14:28:16.60 ===============


*******************************************************************************

GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-08 14:19:03
Windows 5.1.2600 Service Pack 3
Running: keimgxyc.exe; Driver: C:\DOCUME~1\Craig\LOCALS~1\Temp\fwliqkoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1600] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2332] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3824] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 95A73D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 01B00000-0351F000 (27389952 bytes)

---- EOF - GMER 1.0.15 ----

So sorry, I flushed DNS and ensured that it is obtaining DNS automatically for both wired (LAN) and wireless connections.

Hello,

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please run GMER again make sure every box is checked on the right hand side. Including Sections

Things to include in your next reply:
Combofix.txt
Still having redirects?

Hi Fireman4it,

Sorry for the delay in my reply. There has been a lot of frustration on this side.

I ran ComboFix with the script you asked me to use. My computer rebooted after the logs came up, I cannot find them anywhere, and understand it is dangerous to run Combofix more than once, so I don't have that log. I'm very sorry about that.

Trying to run GMER crashed my machine repeatedly. It would start the process, then I would come back to a blue screen of death. Several times when watching it, my computer would just shut off.

GMER finally ran, log posted below. I'm on the infected machine now, I continually get the following as soon as I connect to the internet:

1) Microsoft Phishing Filter pops up immediately. As mentioned previously, I've never seen it in the year I've had the machine, don't know if this is real or fake.
2) Norton kicks on, 'One Touch Support'. It runs some things, and then give me an error code (varies on what it returns). I'm beginning to think this is part of whatever infection is remaining as well
3) As soon as I close the Norton One Touch Support box, I get a pop-up that tells me it appears my machine has malware on it, and I should press OK to run a check now.

So, I think I still have something, and even though I'm by no means an expert, I think it's hiding somewhere in the Norton files and trying to pass itself off as legit.

Other than that, the computer appears to be running well. Interestingly enough, whenever the computer crashes, it always boots up to the 'enter your password' XP page, and once I reboot from there, it runs normally.

Please let me know if you need me to re-run a ComboFix, or any other diagnostic test. If you would like me to uninstall Norton to see what that lands us, I'm happy to do that as well (as per instructions, I will do nothing without you telling me to).

Thank you once again!

Right before I hit Submit for this reply, the Norton One Touch Support box popped up again. I once again closed it, and it gave me a pop-up which said 'Warning, your system is unstable and is about to crash. Are you sure you want to navigate away from this page?' (not verbatim, but approximate of what the message says.

********************************************************
GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 11:55:31
Windows 5.1.2600 Service Pack 3
Running: keimgxyc.exe; Driver: C:\DOCUME~1\Craig\LOCALS~1\Temp\fwliqkoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2248] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 97D46D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Here you are trying to help, and I'm giving you vague answers. I apologize, here are the exact messages of the 3 error messages that pop up on my screen when connected to the internet:

All pop up in a normal looking box with the title of 'Windows Internet Explorer'. All 3 have the yellow triangle with the exclamation point in the middle of it.

Errors read:

Warning! Your computer is at risk of malware attacks.
We recomment you to check your system immediately. Press OK to start the process now
OK box

Are you sure you want to navigate away from this page?
Your system is at risk of crash. Press CANCEL to prevent it.
Press OK to continue, or Cancel to say on the current page.
OK box, Cancel box

Are you sure you want to navigate away from this page?
Antivirus system will be deactivated if your proceed, are you sure? (Not a spelling mistake, that's what it says)
Press OK to continue, or Cancel to stay on the current page.
OK box, Cancel box

Thanks again!

Hello,

Lets try and reset your router. On the back of your router there is a little hole please find something a push and hold the button inside there for 30 seconds. If you cant do this please unplug your router for 1 minute then plug it back in. Please restart your machine once you have done this. See if the messages appear. If they appear please do the following

1.

• Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  
• Double-click the file TDSSKiller.exe.
  
• Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  
• If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  
• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

There should be a Cmbofix log at C:\Combofix.txt. We will be looking for the one with the biggest number. I belive it should be Combofix.txt3. If you dont have a log. please go ahead and run that combofix script again from my previous post.

Things to include in your next reply::
TDSSKiller log
Combofix.txt
How is your machine running now?

Thank you Fireman4it!

I have a cable box that is plugged into a wireless router which is also plugged into a dumb router (8 port). All 3 were turned off for 2 minutes, and rebooted.

Combofix log has been located, posted below.

TDDS Log also posted below.

I was able to surf, and didn't get any redirects or pop-ups. However, I have just had one up now that says:

Windows Internet Explorer

Warning!
Your computer contains various signs of viruses and malware programs presence.
Your system requires immediate antiviruses check! Microsoft Security Assessment Tool will perform a quick and free online checking of your PC
OK Box Cancel Box

Interesting...No Norton anything this time around...

****************************************************

COMBOFIX LOG:

ComboFix 10-05-06.01 - Craig 05/08/2010 20:30:09.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2538 [GMT -4:00]
Running from: c:\documents and settings\Craig\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Craig\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\windows\DUMP3122.tmp"
"c:\windows\DUMP4de1.tmp"
"c:\windows\DUMP7a7f.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\craig\applic~1\AVP 2009
c:\docume~1\craig\applic~1\AVP 2009\1.dat
c:\windows\DUMP3122.tmp
c:\windows\DUMP4de1.tmp
c:\windows\DUMP7a7f.tmp

.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-09 00:31 . 2010-05-09 00:31 4 ----a-w- c:\program files\1101406.dat
2010-05-09 00:30 . 2010-05-09 00:30 4 ----a-w- c:\program files\1064296.dat
2010-05-08 19:43 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVENG.SYS
2010-05-08 19:43 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVEX15.SYS
2010-05-08 19:43 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\CCERASER.DLL
2010-05-08 19:43 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\ECMSVR32.DLL
2010-05-08 19:43 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\EECTRL.SYS
2010-05-08 19:43 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\ERASER.SYS
2010-05-08 19:43 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVENG32.DLL
2010-05-08 19:43 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVEX32A.DLL
2010-05-08 12:48 . 2010-05-08 12:48 -------- d-----w- c:\program files\ESET
2010-05-08 12:46 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSvix86.sys
2010-05-08 12:46 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys
2010-05-08 12:46 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\Scxpx86.dll
2010-05-08 12:46 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSxpx86.dll
2010-05-08 12:46 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSviA64.sys
2010-05-08 12:45 . 2010-05-08 12:45 -------- d-----r- c:\program files\Norton Support
2010-05-07 03:11 . 2010-05-07 03:11 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\Symantec
2010-05-06 02:32 . 2010-05-08 12:17 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:16 . 2010-05-06 12:06 -------- d-----w- c:\program files\Panda Security
2010-05-06 01:47 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search
2010-05-06 01:45 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-05 23:43 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:43 . 2010-05-06 03:15 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\potqafkja
2010-05-05 23:42 . 2010-05-06 03:15 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\fbbrylwpi
2010-05-05 23:42 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-04 19:55 . 2010-05-04 19:57 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\knmfnjivs
2010-05-04 01:03 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSvix86.sys
2010-05-04 01:03 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys
2010-05-04 01:03 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\Scxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSviA64.sys
2010-04-30 15:22 . 2010-04-30 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-04-27 02:42 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 00:04 . 2009-08-01 18:49 -------- d-----w- c:\program files\Winamp
2010-05-08 00:04 . 2009-08-01 16:23 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-05-08 00:04 . 2009-07-25 08:26 -------- d-----w- c:\program files\DellTPad
2010-05-07 23:59 . 2009-07-31 19:44 5892 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-05-06 13:08 . 2009-07-31 16:25 -------- d-----w- c:\program files\Google
2010-05-06 12:06 . 2009-12-30 17:35 -------- d-----w- c:\program files\Quick Hit
2010-04-29 19:39 . 2009-12-30 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-30 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 14:50 . 2009-08-01 18:46 -------- d-----w- c:\documents and settings\Craig\Application Data\LimeWire
2010-03-03 00:59 . 2010-03-03 00:59 544768 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client.dll
2010-03-03 00:59 . 2010-03-03 00:59 22016 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 626440 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer.exe
2010-03-03 00:58 . 2010-03-03 00:57 599304 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Controller.exe
2010-03-03 00:57 . 2010-03-03 00:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-03-03 00:57 . 2010-03-03 00:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-07_03.05.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 15:47 . 2010-05-08 15:47 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2010-05-08 15:47 . 2010-05-08 15:47 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
- 2008-04-25 16:16 . 2010-05-07 03:05 80032 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2010-05-09 00:17 80032 c:\windows\system32\perfc009.dat
+ 2009-07-31 15:57 . 2010-05-09 00:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-07-31 15:57 . 2010-05-07 03:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-25 16:16 . 2010-05-07 03:05 466982 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2010-05-09 00:17 466982 c:\windows\system32\perfh009.dat
+ 2009-07-31 15:57 . 2010-05-09 00:27 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 8:06 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/25/2009 12:23 AM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [7/25/2009 12:23 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [7/25/2009 12:23 AM 41760]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [5/8/2010 8:46 AM 329592]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-08 20:32:22
ComboFix-quarantined-files.txt 2010-05-09 00:32
ComboFix2.txt 2010-05-09 00:25
ComboFix3.txt 2010-05-08 00:10
ComboFix4.txt 2010-05-07 03:06

Pre-Run: 215,574,908,928 bytes free
Post-Run: 215,561,793,536 bytes free

- - End Of File - - 8D4E46025737F007B8D9CFD6AE832310

********************************************************************************
*****************

TDSSKILL Log:

19:18:46:671 5540 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
19:18:46:671 5540 ================================================================================

19:18:46:671 5540 SystemInfo:

19:18:46:671 5540 OS Version: 5.1.2600 ServicePack: 3.0
19:18:46:671 5540 Product type: Workstation
19:18:46:671 5540 ComputerName: CRAIGS-LAPTOP
19:18:46:687 5540 UserName: Craig
19:18:46:687 5540 Windows directory: C:\WINDOWS
19:18:46:687 5540 Processor architecture: Intel x86
19:18:46:687 5540 Number of processors: 2
19:18:46:687 5540 Page size: 0x1000
19:18:46:687 5540 Boot type: Normal boot
19:18:46:687 5540 ================================================================================

19:18:46:687 5540 UnloadDriverW: NtUnloadDriver error 2
19:18:46:687 5540 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:18:46:718 5540 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:18:46:718 5540 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:18:46:718 5540 wfopen_ex: Trying to KLMD file open
19:18:46:718 5540 wfopen_ex: File opened ok (Flags 2)
19:18:46:718 5540 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:18:46:718 5540 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:18:46:718 5540 wfopen_ex: Trying to KLMD file open
19:18:46:718 5540 wfopen_ex: File opened ok (Flags 2)
19:18:46:718 5540 Initialize success
19:18:46:718 5540
19:18:46:718 5540 Scanning Services ...
19:18:46:937 5540 Raw services enum returned 358 services
19:18:46:953 5540
19:18:46:953 5540 Scanning Kernel memory ...
19:18:46:953 5540 Devices to scan: 3
19:18:46:953 5540
19:18:46:953 5540 Driver Name: Disk
19:18:46:953 5540 IRP_MJ_CREATE : BA0EEBB0
19:18:46:953 5540 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:18:46:953 5540 IRP_MJ_CLOSE : BA0EEBB0
19:18:46:953 5540 IRP_MJ_READ : BA0E8D1F
19:18:46:953 5540 IRP_MJ_WRITE : BA0E8D1F
19:18:46:953 5540 IRP_MJ_QUERY_INFORMATION : 804F4562
19:18:46:953 5540 IRP_MJ_SET_INFORMATION : 804F4562
19:18:46:953 5540 IRP_MJ_QUERY_EA : 804F4562
19:18:46:953 5540 IRP_MJ_SET_EA : 804F4562
19:18:46:953 5540 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:18:46:953 5540 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:18:46:953 5540 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:18:46:953 5540 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:18:46:953 5540 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:18:46:953 5540 IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:18:46:953 5540 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:18:46:953 5540 IRP_MJ_SHUTDOWN : BA0E92E2
19:18:46:953 5540 IRP_MJ_LOCK_CONTROL : 804F4562
19:18:46:953 5540 IRP_MJ_CLEANUP : 804F4562
19:18:46:953 5540 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:18:46:953 5540 IRP_MJ_QUERY_SECURITY : 804F4562
19:18:46:953 5540 IRP_MJ_SET_SECURITY : 804F4562
19:18:46:953 5540 IRP_MJ_POWER : BA0EAC82
19:18:46:953 5540 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:18:46:953 5540 IRP_MJ_DEVICE_CHANGE : 804F4562
19:18:46:953 5540 IRP_MJ_QUERY_QUOTA : 804F4562
19:18:46:953 5540 IRP_MJ_SET_QUOTA : 804F4562
19:18:46:968 5540 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:18:46:968 5540
19:18:46:968 5540 Driver Name: Disk
19:18:46:968 5540 IRP_MJ_CREATE : BA0EEBB0
19:18:46:968 5540 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:18:46:968 5540 IRP_MJ_CLOSE : BA0EEBB0
19:18:46:968 5540 IRP_MJ_READ : BA0E8D1F
19:18:46:968 5540 IRP_MJ_WRITE : BA0E8D1F
19:18:46:968 5540 IRP_MJ_QUERY_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_SET_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_EA : 804F4562
19:18:46:968 5540 IRP_MJ_SET_EA : 804F4562
19:18:46:968 5540 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:18:46:968 5540 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:18:46:968 5540 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:18:46:968 5540 IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:18:46:968 5540 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:18:46:968 5540 IRP_MJ_SHUTDOWN : BA0E92E2
19:18:46:968 5540 IRP_MJ_LOCK_CONTROL : 804F4562
19:18:46:968 5540 IRP_MJ_CLEANUP : 804F4562
19:18:46:968 5540 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_SECURITY : 804F4562
19:18:46:968 5540 IRP_MJ_SET_SECURITY : 804F4562
19:18:46:968 5540 IRP_MJ_POWER : BA0EAC82
19:18:46:968 5540 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:18:46:968 5540 IRP_MJ_DEVICE_CHANGE : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_QUOTA : 804F4562
19:18:46:968 5540 IRP_MJ_SET_QUOTA : 804F4562
19:18:46:968 5540 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:18:46:968 5540
19:18:46:968 5540 Driver Name: iaStor
19:18:46:968 5540 IRP_MJ_CREATE : B9E8D468
19:18:46:968 5540 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:18:46:968 5540 IRP_MJ_CLOSE : B9E8D468
19:18:46:968 5540 IRP_MJ_READ : 804F4562
19:18:46:968 5540 IRP_MJ_WRITE : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_SET_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_EA : 804F4562
19:18:46:968 5540 IRP_MJ_SET_EA : 804F4562
19:18:46:968 5540 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:18:46:968 5540 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:18:46:968 5540 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:18:46:968 5540 IRP_MJ_DEVICE_CONTROL : B9E8A4D0
19:18:46:968 5540 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9E87464
19:18:46:968 5540 IRP_MJ_SHUTDOWN : 804F4562
19:18:46:968 5540 IRP_MJ_LOCK_CONTROL : 804F4562
19:18:46:968 5540 IRP_MJ_CLEANUP : 804F4562
19:18:46:968 5540 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_SECURITY : 804F4562
19:18:46:968 5540 IRP_MJ_SET_SECURITY : 804F4562
19:18:46:968 5540 IRP_MJ_POWER : B9E826AE
19:18:46:968 5540 IRP_MJ_SYSTEM_CONTROL : B9E81964
19:18:46:968 5540 IRP_MJ_DEVICE_CHANGE : 804F4562
19:18:46:968 5540 IRP_MJ_QUERY_QUOTA : 804F4562
19:18:46:968 5540 IRP_MJ_SET_QUOTA : 804F4562
19:18:46:984 5540 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
19:18:46:984 5540
19:18:46:984 5540 Completed
19:18:46:984 5540
19:18:46:984 5540 Results:
19:18:46:984 5540 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:18:46:984 5540 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:18:46:984 5540 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:18:46:984 5540
19:18:46:984 5540 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:18:46:984 5540 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:18:46:984 5540 KLMD(ARK) unloaded successfully

Sorry for the continued double posts, seems even though I let my response sit for 20-30 minutes, everything happens right after I hit submit:

New box up, reads:

Windows Internet Explorer

Your computer remains infected by viruses! They can cause data loss and file damages and need to be fixed as soon as possible. Return to Security Tool and download it to guard your PC
OK box Cancel box

Hello nexus_99,

I'M going to consult some of my colleagues here at B.C Want to see if they see something I'm not. Will be back with you as soon as possible.

Hi Fireman4it,

I appreciate everything, really, I do. Thank you so much.

Just thought I would clarify things for you:

The computer *seems* to be running fine. I can access the internet, packets aren't shooting out on a consistant basis where I know I'm infecting the world; programs appear to be responding normally; all my data seems to be intact.

Previously, I would get those pop-ups only when connected to the internet, but, regardless if I had a browser window open or not.

Since my last post, I've stayed connected to the internet, intermittently using the infected machine, and it has not popped up any more of those messages.

I apologize, I really am I computer neophyte, and wish I could be of more assistance. Overnight, I'll leave the machine on, browser open, connected to the internet, and see what I wake up to.

For what it's worth, Norton is still turned off (antivirus and antispyware). I don't know if there is anything else I can tell you that might help.

Again, thank you for your time!

Hi Fireman4it,

Sorry to be such a pest, but I just noticed something.

Since I've been doing this cleaning, I've been doing it with the sound muted on my machine. I had the sound on, and even when the computer is not connected to the internet, it makes the Internet Explorer 'click' sound, the same sound that is made when you refresh a page.

My computer also just made a doorbell-type sound at me - never heard it before - and yet nothing (during both the refresh clicking and the doorbell type noise) is showing on the screen.

I've also come to notice, now that I'm paying a bit closer attention, that the mouse cursor is getting the hourglass symbol beside it at random intervals, even though the computer is just sitting there not doing anything.

K, forget random. It's happening exactly every 50 seconds, the hourglass stays up for either 5 or 6 seconds, and then the indicator light to show data transferring on the network kicks on.

And now I've learned that the computer only makes that clicking/refresh noise if the internet connection is turned off (when the hourglass appears)

Call me paranoid, but does this mean something is taking my data and transferring it over the internet? Does this have anything to do with that Internet Explorer browser shortcut button which appeared on my desktop out of nowhere (and is still there?)

I've decided NOT to keep the internet connection live overnight; please let me know if any of this helps (of if it's simply the ramblings of a paranoid n00b)

Hello nexus_99,



To tell the truth I don't know either. I have consulted some other colleagues and we are gonna try some things to see if we can get this figured out. I would keep the machine disconnected from the internet till then. I also would delete that other IE icon on your desktop.

Has this message showed up anymore?


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once fully booted

• Click on start
• select Run...
• enter "%userprofile%\Desktop\maxlook.exe" -sig and hit enter
• a blue window will open. Please make sure that you are connected to the internet while the blue window is open.
• Once it is finished a log file will open. Please save that log and post the content in your next reply.

If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.

Things to include in your next reply:
Combofix.txt
Maxlook log
Any redirects or popups?

Hello Fireman4it,

As always, many, many thanks!

I have not had any further pop-ups; then again, I haven't allowed that machine access to the internet. Re-directs stopped some time ago. I have also deleted the IE icon that popped up on the desktop (when I deleted it, it told me it was only a shortcut)

Combofix with your script has run; log posted below.

Installed MAXLOOK, ran it, when I tried to reboot in recovery console mode, BSOD. It read:

Technical Information: STOP 0x0000007B (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000)

Rebooted, tried again, same error message

Tried to reboot normally, XP password screen (again, no password, never has been).

Reboot, back to normal.

So, do I re-run MAXLOOK - it says in the instructions to only do it once? But my machine has been rebooted about 5 times since running it?

And finally, I used the infected machine for pretty much a full day yesterday (offline only). It ran normally, no problems at all. So whatever is here, it has to do with connecting, and connection only. As long as I'm offline, no funny business has been happening.

And finally, finally Out of curiosity, I allowed the machine internet access (wireless). Without the IE icon, or perhaps without whatever you did in the combofix, I am not getting the click every 50 seconds; I'm not getting a connection and data transfer every 50 seconds - my computer is actually behaving normally.

******************************************************************

COMBOFIX Log:

ComboFix 10-05-06.01 - Craig 05/12/2010 14:07:57.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2600 [GMT -4:00]
Running from: c:\documents and settings\Craig\Desktop\ComboFix.exe
Command switches used :: e:\11111\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Craig\Local Settings\Application Data\fbbrylwpi
c:\documents and settings\Craig\Local Settings\Application Data\knmfnjivs
c:\documents and settings\Craig\Local Settings\Application Data\potqafkja

.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-10 23:45 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\CCERASER.DLL
2010-05-10 23:45 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\EECTRL.SYS
2010-05-10 23:45 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\ERASER.SYS
2010-05-10 17:12 . 2010-05-10 17:12 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-05-10 08:00 . 2010-05-10 08:00 85552 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\NAVENG.SYS
2010-05-10 08:00 . 2010-05-10 08:00 275824 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\ECMSVR32.DLL
2010-05-10 08:00 . 2010-05-10 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\NAVENG32.DLL
2010-05-10 08:00 . 2010-05-10 08:00 1697136 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\NAVEX32A.DLL
2010-05-10 08:00 . 2010-05-10 08:00 1347504 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100510.022\NAVEX15.SYS
2010-05-09 00:31 . 2010-05-09 00:31 4 ----a-w- c:\program files\1101406.dat
2010-05-09 00:30 . 2010-05-09 00:30 4 ----a-w- c:\program files\1064296.dat
2010-05-08 12:48 . 2010-05-08 12:48 -------- d-----w- c:\program files\ESET
2010-05-08 12:46 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSvix86.sys
2010-05-08 12:46 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys
2010-05-08 12:46 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\Scxpx86.dll
2010-05-08 12:46 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSxpx86.dll
2010-05-08 12:46 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSviA64.sys
2010-05-08 12:45 . 2010-05-08 12:45 -------- d-----r- c:\program files\Norton Support
2010-05-07 03:11 . 2010-05-07 03:11 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\Symantec
2010-05-06 02:32 . 2010-05-08 12:17 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:16 . 2010-05-06 12:06 -------- d-----w- c:\program files\Panda Security
2010-05-06 01:47 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search
2010-05-06 01:45 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-05 23:43 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-04 01:03 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSvix86.sys
2010-05-04 01:03 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys
2010-05-04 01:03 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\Scxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSxpx86.dll
2010-05-04 01:03 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSviA64.sys
2010-04-30 15:22 . 2010-04-30 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-04-27 02:42 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 00:48 . 2009-07-31 19:44 5892 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-05-08 00:04 . 2009-08-01 18:49 -------- d-----w- c:\program files\Winamp
2010-05-08 00:04 . 2009-08-01 16:23 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-05-08 00:04 . 2009-07-25 08:26 -------- d-----w- c:\program files\DellTPad
2010-05-06 13:08 . 2009-07-31 16:25 -------- d-----w- c:\program files\Google
2010-05-06 12:06 . 2009-12-30 17:35 -------- d-----w- c:\program files\Quick Hit
2010-04-29 19:39 . 2009-12-30 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-30 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 14:50 . 2009-08-01 18:46 -------- d-----w- c:\documents and settings\Craig\Application Data\LimeWire
2010-03-03 00:59 . 2010-03-03 00:59 544768 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client.dll
2010-03-03 00:59 . 2010-03-03 00:59 22016 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 626440 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer.exe
2010-03-03 00:58 . 2010-03-03 00:57 599304 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Controller.exe
2010-03-03 00:57 . 2010-03-03 00:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-03-03 00:57 . 2010-03-03 00:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-07_03.05.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 18:13 . 2010-05-12 18:13 16384 c:\windows\Temp\Perflib_Perfdata_3b4.dat
+ 2010-05-12 18:13 . 2010-05-12 18:13 16384 c:\windows\Temp\Perflib_Perfdata_390.dat
- 2008-04-25 16:16 . 2010-05-07 03:05 80032 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2010-05-09 19:44 80032 c:\windows\system32\perfc009.dat
- 2009-07-31 15:57 . 2010-05-07 03:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-09 00:32 . 2010-05-12 18:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-10 17:12 . 2010-05-10 17:12 21274 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\UserCache.bin
- 2008-04-25 16:16 . 2010-05-07 03:05 466982 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2010-05-09 19:44 466982 c:\windows\system32\perfh009.dat
+ 2009-07-31 15:57 . 2010-05-12 18:06 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 8:06 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/25/2009 12:23 AM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [7/25/2009 12:23 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [7/25/2009 12:23 AM 41760]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [5/8/2010 8:46 AM 329592]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 14:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\system volume information\Whistler\svchost.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\system volume information\Whistler\smss.exe
c:\drivers\audio\r211990\stacsv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Windows Live\Toolbar\wltuser.exe
.
**************************************************************************
.
Completion time: 2010-05-12 14:15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 18:15
ComboFix2.txt 2010-05-09 00:32
ComboFix3.txt 2010-05-09 00:25
ComboFix4.txt 2010-05-08 00:10
ComboFix5.txt 2010-05-12 18:07

Pre-Run: 215,470,063,616 bytes free
Post-Run: 215,599,173,632 bytes free

- - End Of File - - 10A352CC43E38EFF216AF1D05D5269F6

Hello nexus_99

It seems the Recovery console might have been corrupted let try to install it again.

1.
Lets remove maxlook then try to run it again
Got Start>Run the copy and paste the following command in the window and press ok
maxlook -cleanup

2.
Now let reinstall the Recovery console.
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named.

---------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt


3.
Now lets try Maxlook again:
Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once fully booted

• Click on start
• select Run...
• enter "%userprofile%\Desktop\maxlook.exe" -sig and hit enter
• a blue window will open. Please make sure that you are connected to the internet while the blue window is open.
• Once it is finished a log file will open. Please save that log and post the content in your next reply.

If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


Things to include in your next reply:
Combofix.txt
Maxlook log
How is your machine running now?

Fireman4it,

Before we go any further, why can I not turn of Norton?

I've set everything to be off permanently, yet it keeps coming back on. It's always updating, or giving me error messages - just now it gave me a message that it caught a virus in the system (gee, thanks) and had me remove it. I don't want it to keep coming up all the time, especially since I think it's a part of the problem.

One Touch Support, which I have NEVER seen in a full year on this machine, pops up about once every 15 minutes, and doesn't wait for me to select anything - it just starts doing it's own thing. And I have no idea how to turn this stuff off!!

Can I uninstall it, or will that mess things up further?

Thanks!

Hello,

Yes we can uninstall it. you can reinstall it when we are finished.



The following removal utility can be used to uninstall the program if the uninstall via Add/remove does not work:

• Download the Norton Removal Tool to your desktop.
• On the Windows desktop, double-click the Norton Removal Tool icon.
• Follow the on-screen instructions.
  Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts

Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding

With Regards,
fireman4it

Definately still here, will be following instructions and posting tonight.

Sorry for the delays of my replies lately!

ok

Hello Fireman4it,

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!

Downloaded the recovery link. Dragged and dropped to ComboFix. It was out of date, had to update it. Updated ComboFix. Drag and dropped. Ran to Stage 50. Blue screen of death - IRQ_NOT_LESS_OR_EQUAL_THAN. On reboot, got the the 'Your system has recovered from a serious error' message, saved the message and posted below.

Re-ran ComboFix. Logs posted below. No message popped up to tell me that the recovery console was successfully installed, didn't ask me to scan further.

And...that internet explorer icon re-appeared on the desktop underneath the ComboFix icon.

Ran Maxlook, rebooted to Windows Recovery Console...wait for it...

Blue. Screen. Of. Death.

Tried again for the hell of it (what can I say? I don't think it matters anymore) - you'll never guess what happened, but it ryhmes with 'True spleen of Beth'

I apologize, as you can tell, I'm quite frustrated with my machine - not at you at all. I thought a few days off might help, but it's just as agonizing as it was when I took a break a couple days ago.

As always, a thousand thank yous for all of your hard work and efforts. Sorry I'm such a pain!

**********************************************************
ERROR LOG:

The system has recovered from a serious error.


Error signature

BCCode : 100000d1 BCP1 : E492F000 BCP2 : 0000001C BCP3 : 00000001
BCP4 : B1F6B41D OSVer : 5_1_2600 SP : 3_0 Product : 256_1



To view technical information about the error report, click here shows me:

Error Report Contents

The following files will be included in this error report:

C:\DOCUME~1\Craig\LOCALS~1\Temp\WER80ff.dir00\Mini051710-01.dmp
C:\DOCUME~1\Craig\LOCALS~1\Temp\WER80ff.dir00\sysdata.xml

*************************************************************************
ComboFix 10-05-16.02 - Craig 05/17/2010 9:42.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2631 [GMT -4:00]
Running from: c:\documents and settings\Craig\Desktop\ComboFix.exe
Command switches used :: e:\11111\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\st326147.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-10 17:12 . 2010-05-10 17:12 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-05-09 00:31 . 2010-05-09 00:31 4 ----a-w- c:\program files\1101406.dat
2010-05-09 00:30 . 2010-05-09 00:30 4 ----a-w- c:\program files\1064296.dat
2010-05-08 12:48 . 2010-05-08 12:48 -------- d-----w- c:\program files\ESET
2010-05-08 12:45 . 2010-05-08 12:45 -------- d-----r- c:\program files\Norton Support
2010-05-07 03:11 . 2010-05-07 03:11 -------- d-----w- c:\documents and settings\Craig\Local Settings\Application Data\Symantec
2010-05-06 02:32 . 2010-05-08 12:17 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-05-06 02:16 . 2010-05-06 12:06 -------- d-----w- c:\program files\Panda Security
2010-05-06 01:45 . 2010-05-06 01:47 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-05 23:43 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-05 23:43 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-05 23:42 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-30 15:22 . 2010-04-30 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 02:20 . 2009-07-31 19:44 5892 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-05-08 00:04 . 2009-08-01 18:49 -------- d-----w- c:\program files\Winamp
2010-05-08 00:04 . 2009-08-01 16:23 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-05-08 00:04 . 2009-07-25 08:26 -------- d-----w- c:\program files\DellTPad
2010-05-06 13:08 . 2009-07-31 16:25 -------- d-----w- c:\program files\Google
2010-05-06 12:06 . 2009-12-30 17:35 -------- d-----w- c:\program files\Quick Hit
2010-04-29 19:39 . 2009-12-30 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-30 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 14:50 . 2009-08-01 18:46 -------- d-----w- c:\documents and settings\Craig\Application Data\LimeWire
2010-03-03 00:59 . 2010-03-03 00:59 544768 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client.dll
2010-03-03 00:59 . 2010-03-03 00:59 22016 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Tools.Scripting.Client_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll
2010-03-03 00:58 . 2010-03-03 00:58 626440 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer.exe
2010-03-03 00:58 . 2010-03-03 00:57 599304 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Controller.exe
2010-03-03 00:57 . 2010-03-03 00:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-03-03 00:57 . 2010-03-03 00:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-07_03.05.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-17 13:38 . 2010-05-17 13:38 16384 c:\windows\Temp\Perflib_Perfdata_3a0.dat
+ 2010-05-17 13:38 . 2010-05-17 13:38 16384 c:\windows\Temp\Perflib_Perfdata_378.dat
- 2008-04-25 16:16 . 2010-05-07 03:05 80032 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2010-05-09 19:44 80032 c:\windows\system32\perfc009.dat
- 2009-07-31 15:57 . 2010-05-07 03:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-09 00:32 . 2010-05-17 13:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-10 17:12 . 2010-05-10 17:12 21274 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\UserCache.bin
- 2008-04-25 16:16 . 2010-05-07 03:05 466982 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2010-05-09 19:44 466982 c:\windows\system32\perfh009.dat
+ 2009-07-31 15:57 . 2010-05-17 13:41 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 8:06 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/25/2009 12:23 AM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [7/25/2009 12:23 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [7/25/2009 12:23 AM 41760]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys --> c:\windows\system32\Drivers\NIS\1008000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [5/8/2010 8:46 AM 329592]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 09:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-17 09:45:55
ComboFix-quarantined-files.txt 2010-05-17 13:45
ComboFix2.txt 2010-05-12 18:15
ComboFix3.txt 2010-05-09 00:32
ComboFix4.txt 2010-05-09 00:25
ComboFix5.txt 2010-05-17 13:33

Pre-Run: 215,613,562,880 bytes free
Post-Run: 215,572,348,928 bytes free

- - End Of File - - 845AB497F81D8CD2CF649A6338608C4E

My apologies! Posted to the wrong topic.

Hello

How to make a Recovery Console cd

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.

• Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  
  
• If your PC is not booting from the CD, you need to change the boot order:
  • Restart your PC
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
  • The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
• Your PC should now boot from your CD.
  Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  
  
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  
  
• When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
  
  
• A command prompt will open

Once in Recovery Console, please type batch look.bat and hit enter.



You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once fully booted

• Click on start
• select Run...
• enter "%userprofile%\Desktop\maxlook.exe" -sig and hit enter
• a blue window will open. Please make sure that you are connected to the internet while the blue window is open.
• Once it is finished a log file will open. Please save that log and post the content in your next reply.

If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.