TechSpot

Yet another Google redirect problem

By PalazzoTom
Jun 25, 2011
  1. Hi folks,

    I am working on my daughter's laptop after she told me about the redirect problem. I found she had no virus or malware protection. I loaded and ran Norton, MS Essentials, Spy Doctor, and MalwareBytes without any improvement.

    Following are the logs from MBAM, GMER, and DDS. I will standby awaiting your sage instructions.

    Many thanks to those of you that freely give of your time and expertise.

    Tom



    ******************************

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6923

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    6/22/2011 5:21:00 PM
    mbam-log-2011-06-22 (17-21-00).txt

    Scan type: Quick scan
    Objects scanned: 180486
    Time elapsed: 11 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\program files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)

    **********************

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-24 23:16:00
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 rev.
    Running: 2u1i9kwk.exe; Driver: C:\DOCUME~1\Christy\LOCALS~1\Temp\fflyapod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:124] 8A145E7A
    Thread System [4:128] 8A148008

    ---- EOF - GMER 1.0.15 ----


    ******************************

    .DDS.txt


    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
    Run by Christy at 23:34:55 on 2011-06-24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.462 [GMT -7:00]
    .
    AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SFT\GuardedID\gidd.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Constant Guard Protection Suite\IDVault.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    C:\Program Files\PC Tools Security\pctsAuxs.exe
    C:\Program Files\PC Tools Security\pctsSvc.exe
    C:\Program Files\PC Tools Security\pctsGui.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://my.yahoo.com
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    mSearch Page =
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uURLSearchHooks: H - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
    BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - c:\program files\constant guard protection suite\NativeBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Google Update] "c:\documents and settings\christy\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [<NO NAME>]
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
    mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Open Link Target in Firefox - file://c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
    IE: View This Page in Firefox - file://c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1308685415186
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: GIDLogonXP - GIDLogonXP.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://sfgate.com/
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\all users\application data\white sky, inc\id vault\xpcom3\components\IdVault.XPCOM3.dll
    FF - component: c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
    FF - plugin: c:\documents and settings\christy\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\christy\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\christy\application data\mozilla\plugins\npPxPlay.dll
    FF - plugin: c:\documents and settings\christy\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Calculator: {AA052FD6-366A-4771-A591-0D8DC551585D} - %profile%\extensions\{AA052FD6-366A-4771-A591-0D8DC551585D}
    FF - Ext: ViewInFirefox: {5D558C43-550F-4b12-84AB-0D8ABDA9F975} - %profile%\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}
    FF - Ext: FormFox: formfox@daniel.steinbrook - %profile%\extensions\formfox@daniel.steinbrook
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
    FF - Ext: CuteMenus - Crystal SVG: {63df8e21-711c-4074-a257-b065cadc28d8} - %profile%\extensions\{63df8e21-711c-4074-a257-b065cadc28d8}
    FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
    FF - Ext: CacheIt!: {98449521-9320-4257-aa35-9e1a39c8cbe0} - %profile%\extensions\{98449521-9320-4257-aa35-9e1a39c8cbe0}
    FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
    FF - Ext: Red Cats (green flavor): {dd30bf68-268a-4815-ad48-8740b774c764} - %profile%\extensions\{dd30bf68-268a-4815-ad48-8740b774c764}
    FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coFFPlgn
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-6-24 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-6-24 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-6-24 656320]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-6-24 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-6-24 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110616.003\BHDrvx86.sys [2011-6-16 810616]
    R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-6-23 25232]
    R1 MpKslf514b9da;MpKslf514b9da;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1061d659-ded2-4ac1-aa5a-4afac5295556}\mpkslf514b9da.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1061d659-ded2-4ac1-aa5a-4afac5295556}\MpKslf514b9da.sys [?]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-6-24 136312]
    R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-6-24 130008]
    R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-6-24 366840]
    R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-6-24 1150936]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-6-24 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110624.050\IDSXpx86.sys [2011-6-24 355256]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110624.020\NAVENG.SYS [2011-6-24 86008]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110624.020\NAVEX15.SYS [2011-6-24 1542392]
    S1 MpKslb4c78394;MpKslb4c78394;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be32b7a2-c83d-4f12-a229-56ffec5525da}\mpkslb4c78394.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be32b7a2-c83d-4f12-a229-56ffec5525da}\MpKslb4c78394.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]
    S2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2011-6-14 60488]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-22 366640]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]
    S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-06-25 06:11:54 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-06-25 01:43:23 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2011-06-25 01:43:22 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2011-06-25 01:43:11 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-06-25 01:42:48 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-06-25 01:42:48 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-06-25 01:41:28 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-06-25 01:39:48 -------- d-----w- c:\program files\common files\PC Tools
    2011-06-25 01:39:47 -------- d-----w- c:\program files\PC Tools Security
    2011-06-25 01:39:47 -------- d-----w- c:\documents and settings\christy\application data\PC Tools
    2011-06-25 01:39:47 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
    2011-06-24 16:51:46 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
    2011-06-24 16:51:46 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
    2011-06-24 16:51:46 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
    2011-06-24 16:51:45 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
    2011-06-24 16:51:45 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
    2011-06-24 16:51:44 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
    2011-06-24 16:51:44 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
    2011-06-24 16:51:44 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
    2011-06-24 16:50:39 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
    2011-06-24 16:42:50 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-06-24 16:42:50 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-06-24 16:42:49 -------- d-----w- c:\program files\Symantec
    2011-06-24 16:42:49 -------- d-----w- c:\program files\common files\Symantec Shared
    2011-06-24 16:41:46 -------- d-----w- c:\windows\system32\drivers\N360
    2011-06-24 16:41:42 -------- d-----w- c:\program files\Norton Security Suite
    2011-06-24 06:32:54 -------- d-----w- c:\program files\NortonInstaller
    2011-06-24 06:32:54 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
    2011-06-24 06:23:02 -------- d-----w- c:\documents and settings\all users\application data\Norton
    2011-06-24 05:55:20 -------- d-----w- c:\documents and settings\all users\application data\IsolatedStorage
    2011-06-24 05:55:11 -------- d-----w- c:\documents and settings\christy\local settings\application data\ID Vault
    2011-06-24 05:54:03 87624 ----a-w- c:\program files\mozilla firefox\IdVaultCore.XmlSerializers.dll
    2011-06-24 05:54:03 8007680 ----a-w- c:\program files\mozilla firefox\Microsoft.mshtml.dll
    2011-06-24 05:54:03 1590856 ----a-w- c:\program files\mozilla firefox\IdVaultCore.dll
    2011-06-24 05:54:03 129608 ----a-w- c:\program files\mozilla firefox\CommonDotNET.dll
    2011-06-24 05:53:54 -------- d-----w- c:\documents and settings\christy\application data\ID Vault
    2011-06-24 05:53:37 25232 ------w- c:\windows\system32\drivers\gidv2.sys
    2011-06-24 05:53:18 -------- d-----w- c:\documents and settings\all users\GID
    2011-06-24 05:53:09 -------- d-----w- c:\program files\SFT
    2011-06-24 05:52:36 -------- d-----w- c:\program files\Constant Guard Protection Suite
    2011-06-24 05:46:08 -------- d-----w- c:\windows\system32\XPSViewer
    2011-06-24 05:44:44 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-06-24 05:44:17 14048 ------w- c:\windows\system32\spmsg2.dll
    2011-06-23 17:22:29 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
    2011-06-23 00:06:25 -------- d-----w- c:\documents and settings\christy\application data\Malwarebytes
    2011-06-23 00:05:03 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-23 00:05:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-06-23 00:04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-22 18:56:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-06-22 11:57:20 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-06-22 11:57:20 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2011-06-21 16:54:36 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-06-21 16:35:18 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-06-08 04:42:42 -------- d-----w- c:\program files\iPod
    2011-06-08 04:42:37 -------- d-----w- c:\program files\iTunes
    2011-06-08 04:36:12 -------- d-----w- c:\program files\Bonjour
    2011-06-07 21:25:36 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-06-07 21:25:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-07 21:11:27 -------- d-----w- c:\documents and settings\christy\application data\MSNInstaller
    2011-06-07 17:57:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-06-07 17:57:50 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    2011-06-21 20:50:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-10 15:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-05-10 15:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 15:51:57 78336 ---ha-w- c:\windows\system32\ieencode.dll
    2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-04-25 12:01:21 389120 ---ha-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A1411ED]<<
    _asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; CMP DWORD [EAX+0x2c], 0x7; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; PUSH EDI; MOV EDI, [EBX+0x60]; JNZ 0xf7; MOV ESI, [EDI+0x4]; MOV EAX, [ESI+0xc]; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A1CF4F8]
    3 CLASSPNP[0xF76B7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\000000ab[0x8A1FC9E8]
    5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8A1ED940]
    kernel: MBR read successfully
    _asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
    detected disk devices:
    detected hooks:
    \Driver\atapi -> 0x8a1411ed
    user != kernel MBR !!!
    Warning: possible MBR rootkit infection !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 23:35:55.07 ===============

    *************************

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/7/2005 9:30:11 PM
    System Uptime: 6/24/2011 6:21:45 PM (5 hours ago)
    .
    Motherboard: DELL SYSTEM | | Inspiron 700m
    Processor: Intel(R) Pentium(R) M processor 1.60GHz | U1 | 598/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 34 GiB total, 6.397 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1007: 6/21/2011 12:58:50 PM - Software Distribution Service 3.0
    RP1008: 6/21/2011 6:37:10 PM - Removed Java(TM) 6 Update 7
    RP1009: 6/22/2011 10:49:03 AM - Software Distribution Service 3.0
    RP1010: 6/23/2011 11:26:33 AM - Software Distribution Service 3.0
    RP1011: 6/23/2011 10:44:17 PM - Installed %1 %2.
    RP1012: 6/23/2011 10:44:34 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP1013: 6/24/2011 12:37:17 PM - Software Distribution Service 3.0
    RP1014: 6/24/2011 1:42:09 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Amazon MP3 Downloader 1.0.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Banctec Service Agreement
    Bonjour
    Broadcom Management Programs
    Conexant D480 MDC V.9x Modem
    Constant Guard Protection Suite
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Media Experience
    Dell Media Experience Update
    Dell Networking Guide
    Dell Picture Studio v3.0
    Dell System Restore
    Dell Wireless WLAN Utility
    DellSupport
    Digital Line Detect
    Foxit PDF Editor
    Foxit Reader
    FoxyTunes for Firefox
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    GuardedID
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Extreme Graphics 2 Driver
    Internet Explorer Default Page
    iTunes
    Jasc Paint Shop Photo Album 5
    Jasc Paint Shop Pro Studio, Dell Editon
    Java Auto Updater
    Java(TM) 6 Update 26
    Learn2 Player (Uninstall Only)
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    MobileMe Control Panel
    Mozilla Firefox (3.6.18)
    MSN Music Assistant
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB925673)
    My Way Search Assistant
    NetWaiting
    Norton Security Suite
    PCIxx20
    Photo Click
    PowerDVD 5.1
    QuickTime
    RealPlayer Basic
    SCRABBLE
    Scrabble (remove only)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB2530548)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Skype Toolbars
    Skype™ 5.1
    Spybot - Search & Destroy
    Spyware Doctor with AntiVirus 8.0
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx20 drivers.
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Communication Foundation
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Workflow Foundation
    Windows XP Service Pack 3
    WordPerfect Office 12
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/24/2011 6:23:56 PM, error: Service Control Manager [7000] - The CGPS Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/24/2011 6:23:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CGPS Service service to connect.
    6/24/2011 6:22:56 PM, error: Dhcp [1002] - The IP address lease 192.168.0.139 for the Network Card with network address 000B7D16E4AA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    6/24/2011 10:05:15 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TOM-LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C5618145-AC2E-462. The master browser is stopping or an election is being forced.
    6/23/2011 9:53:27 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
    6/23/2011 9:50:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    6/23/2011 12:37:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ALG with arguments "" in order to run the server: {D6015EC3-FA16-4813-9CA1-DA204574F5DA}
    6/23/2011 12:36:52 PM, error: Tcpip [4198] - The system detected an address conflict for IP address 192.168.0.1 with the system having network hardware address 00:1B:11:4B:83:21. The local interface has been disabled.
    6/22/2011 5:25:29 PM, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    6/22/2011 5:25:29 PM, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    6/21/2011 12:33:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    6/21/2011 12:04:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
    6/21/2011 12:03:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    6/21/2011 12:01:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    6/21/2011 12:00:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning and welcome to TechSpot! I'll help with the malware.

    Edit: Please go to Add/Remove Programs and uninstall My Way Search Assistant. Then right click on the Taskbar> Explore> My Computer> Double click on Local Drive(C)> Programs> Look for the Program folder for My Way Search Assistant and do a right click> Delete.

    There appears to be a rootkit infection so please do the following:
    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    =========================================
    When you have finished with the scan above, please go on to the following:
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

    Please leave both logs in your next reply.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. PalazzoTom

    PalazzoTom TS Rookie Topic Starter

    Thank you Bobbye.

    I see the "My Search Assistant" in the DDS log as did you, however it does not appear in the Add/Delete Programs or Program Files.

    As per the instructions I have not moved to the next step. Will await your direction.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay to go on to the MBR scan, followed by Combofix. I should be able to remove MySearchAssistant with script I'll have you run through Combofix. She had the My WebSearch malware entries that were removed in Mbam.

    You might want to pass on to her that she should avoid the Fun Web Products[/b[ and related sites. User go to that site to get 'cute' cursors, wallpaper,screen savers, Smileys, etc. But all that free stuff come with a price of malware to their systems. If you notice any of the following in All Programs or Add/Remove Programs, okay to remove:
    I'll have you run HijackThis at the end to make sure we've removed all bad entries.
     
  5. PalazzoTom

    PalazzoTom TS Rookie Topic Starter

    Below are the MBR and Combo fix logs.

    A couple of things to be aware:

    I had taken the PC off-line during Combofix and was unable to successfully complete the install of the recovery console.

    When attempting to start Firefox following the reboot, an error message regarding "unable to load C++ file (didn't write it down) ". Firefox opened normally. Attempt to type created characters different than the keys being pressed. Resolved itself after another reboot.

    Logs:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 192):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF789B000 compbatt.sys
    0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF798B000 cmdide.sys
    0xF798D000 aliide.sys
    0xF798F000 toside.sys
    0xF7991000 viaide.sys
    0xF7993000 intelide.sys
    0xF74D9000 pcmcia.sys
    0xF7607000 MountMgr.sys
    0xF74BA000 ftdisk.sys
    0xF7494000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF78A3000 ACPIEC.sys
    0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF7617000 VolSnap.sys
    0xF78A7000 cpqarray.sys
    0xF747C000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF7464000 atapi.sys
    0xF78AB000 aha154x.sys
    0xF7717000 sparrow.sys
    0xF78AF000 symc810.sys
    0xF7627000 aic78xx.sys
    0xF78B3000 dac960nt.sys
    0xF7637000 ql10wnt.sys
    0xF78B7000 amsint.sys
    0xF771F000 asc.sys
    0xF78BB000 asc3550.sys
    0xF7727000 mraid35x.sys
    0xF772F000 i2omp.sys
    0xF78BF000 ini910u.sys
    0xF7647000 ql1240.sys
    0xF7657000 aic78u2.sys
    0xF7737000 symc8xx.sys
    0xF773F000 sym_hi.sys
    0xF7747000 sym_u3.sys
    0xF774F000 ABP480N5.SYS
    0xF7757000 asc3350p.sys
    0xF7995000 cd20xrnt.sys
    0xF7667000 ultra.sys
    0xF786E000 adpu160m.sys
    0xF775F000 dpti2o.sys
    0xF7677000 ql1080.sys
    0xF7687000 ql1280.sys
    0xF7697000 ql12160.sys
    0xF7767000 perc2.sys
    0xF7997000 perc2hib.sys
    0xF776F000 hpn.sys
    0xF78C3000 cbidf2k.sys
    0xF7842000 dac2w2k.sys
    0xF76A7000 disk.sys
    0xF76B7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7967000 fltmgr.sys
    0xF7B88000 SYMDS.SYS
    0xF7830000 sr.sys
    0xF7ACD000 SYMEFA.SYS
    0xF7777000 PxHelp20.sys
    0xF7950000 KSecDD.sys
    0xBA773000 Ntfs.sys
    0xBA746000 NDIS.sys
    0xF76C7000 sisagp.sys
    0xF76D7000 viaagp.sys
    0xF76E7000 ohci1394.sys
    0xF76F7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA68C000 Mup.sys
    0xF7587000 agp440.sys
    0xF7577000 alim1541.sys
    0xF7567000 amdagp.sys
    0xF7557000 agpCPQ.sys
    0xF7527000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xBA716000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA5E7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB9342000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xB932E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9606000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB930A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB95FE000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB92BD000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xB92AC000 \SystemRoot\system32\drivers\tifm.sys
    0xBA706000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
    0xB9298000 \SystemRoot\system32\DRIVERS\parport.sys
    0xBA6F6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xB95F6000 \SystemRoot\System32\Drivers\GIDv2.SYS
    0xB95EE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB926B000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF79E9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB95E6000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA6E6000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA1FE000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA1EE000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB9248000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB95DE000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xB9207000 \SystemRoot\system32\drivers\stac97.sys
    0xB91E3000 \SystemRoot\system32\drivers\portcls.sys
    0xBA1DE000 \SystemRoot\system32\drivers\drmk.sys
    0xB91B2000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
    0xB90B3000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xB900D000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xB95D6000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7A88000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA1CE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA5E3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8FF6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA1BE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA1AE000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB95CE000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8FE5000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA19E000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB95C6000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB95BE000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8FB5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA18E000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF79EF000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8F57000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA56A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF77D7000 \SystemRoot\system32\DRIVERS\omci.sys
    0xBA17E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA6B6000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA607000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xAC516000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB0278000 \SystemRoot\System32\Drivers\Null.SYS
    0xAC57E000 \SystemRoot\System32\Drivers\Beep.SYS
    0xA83D6000 \SystemRoot\System32\drivers\vga.sys
    0xAC50C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xAC580000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xA83CE000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xA83C6000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xAFDEA000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA70ED000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA7094000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA703B000 \SystemRoot\System32\Drivers\N360\0501000.01D\SYMTDI.SYS
    0xA7015000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA86D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA6FEF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xA86C8000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xA6F6D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA6F4B000 \SystemRoot\System32\drivers\afd.sys
    0xA7EAC000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA6F27000 \SystemRoot\system32\drivers\N360\0501000.01D\Ironx86.SYS
    0xA7E5C000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSPX.SYS
    0xA6EFC000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA6E8C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA592000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1061D659-DED2-4AC1-AA5A-4AFAC5295556}\MpKslf514b9da.sys
    0xA7E1C000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA6E2E000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xA6E10000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xA6D46000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110616.003\BHDrvx86.sys
    0xABB54000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA6D2E000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79F1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA5EF000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7807000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xB027D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
    0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
    0xBF119000 \SystemRoot\System32\ATMFD.DLL
    0xAC542000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
    0xA8B40000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA6BB1000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA8F43000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA6A96000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF79D3000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xA83F0000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
    0xA6A82000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA68D6000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA6255000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA6014000 \SystemRoot\System32\Drivers\N360\0501000.01D\SRTSP.SYS
    0xA58DF000 \SystemRoot\system32\drivers\pctDS.sys
    0xA583A000 \SystemRoot\system32\drivers\pctEFA.sys
    0xA57FD000 \SystemRoot\system32\drivers\PCTCore.sys
    0xA5E51000 \??\C:\Program Files\PC Tools Security\PCTSDInj32.sys
    0xA54FD000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110624.050\IDSxpx86.sys
    0xA50BD000 \??\C:\DOCUME~1\Christy\LOCALS~1\Temp\fflyapod.sys
    0xA96A7000 \??\C:\DOCUME~1\Christy\LOCALS~1\Temp\mbr.sys
    0xF79A1000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
    0xA4942000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110625.002\NAVEX15.SYS
    0xA492E000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110625.002\NAVENG.SYS
    0xA48B3000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

    Processes (total 44):
    0 System Idle Process
    4 System
    844 C:\WINDOWS\SYSTEM32\smss.exe
    920 csrss.exe
    948 C:\WINDOWS\SYSTEM32\winlogon.exe
    992 C:\WINDOWS\SYSTEM32\services.exe
    1004 C:\WINDOWS\SYSTEM32\lsass.exe
    1172 C:\WINDOWS\SYSTEM32\svchost.exe
    1252 svchost.exe
    1368 C:\WINDOWS\SYSTEM32\svchost.exe
    1532 svchost.exe
    1584 svchost.exe
    1956 C:\WINDOWS\SYSTEM32\spoolsv.exe
    1224 C:\WINDOWS\explorer.exe
    2020 svchost.exe
    252 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    420 C:\Program Files\Bonjour\mDNSResponder.exe
    784 PresentationFontCache.exe
    724 C:\WINDOWS\SYSTEM32\ctfmon.exe
    1464 C:\WINDOWS\SYSTEM32\hkcmd.exe
    1516 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    1728 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1736 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    2308 C:\Program Files\Java\jre6\bin\jqs.exe
    2408 C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
    2492 C:\WINDOWS\SYSTEM32\svchost.exe
    2592 C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
    2724 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    2772 C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
    3252 C:\Program Files\iTunes\iTunesHelper.exe
    3660 C:\Program Files\SFT\GuardedID\GIDD.exe
    3836 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    732 C:\Program Files\Constant Guard Protection Suite\IDVault.exe
    744 C:\Program Files\Digital Line Detect\DLG.exe
    2944 C:\Program Files\iPod\bin\iPodService.exe
    1452 alg.exe
    2100 C:\WINDOWS\SYSTEM32\svchost.exe
    2472 C:\Program Files\Internet Explorer\iexplore.exe
    2248 C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
    3976 C:\Program Files\PC Tools Security\pctsAuxs.exe
    1416 C:\Program Files\PC Tools Security\pctsSvc.exe
    2416 C:\Program Files\PC Tools Security\pctsGui.exe
    2108 C:\WINDOWS\SYSTEM32\wuauclt.exe
    5432 C:\Documents and Settings\Christy\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

    PhysicalDrive0 Model Number: TOSHIBAMK4026GAX, Rev: PA102D

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Dell MBR code detected
    SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


    Done!



    *********************

    ComboFix 11-06-25.03 - Christy 06/25/2011 13:38:26.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.831 [GMT -7:00]
    Running from: c:\documents and settings\Christy\Desktop\ComboFix.exe
    AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-25 06:11 . 2011-06-25 06:11 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-06-25 01:43 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2011-06-25 01:43 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2011-06-25 01:43 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-06-25 01:42 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-06-25 01:42 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-06-25 01:41 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-06-25 01:39 . 2011-06-25 01:44 -------- d-----w- c:\program files\Common Files\PC Tools
    2011-06-25 01:39 . 2011-06-25 05:46 -------- d-----w- c:\program files\PC Tools Security
    2011-06-25 01:39 . 2011-06-25 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-06-25 01:39 . 2011-06-25 01:39 -------- d-----w- c:\documents and settings\Christy\Application Data\PC Tools
    2011-06-24 16:42 . 2011-06-24 16:51 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-06-24 16:42 . 2011-06-24 16:51 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-06-24 16:42 . 2011-06-24 16:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2011-06-24 16:42 . 2011-06-24 16:51 -------- d-----w- c:\program files\Symantec
    2011-06-24 16:41 . 2011-06-24 20:32 -------- d-----w- c:\windows\system32\drivers\N360
    2011-06-24 16:41 . 2011-06-24 16:41 -------- d-----w- c:\program files\Norton Security Suite
    2011-06-24 16:41 . 2011-06-24 16:41 -------- d-----w- c:\program files\Windows Sidebar
    2011-06-24 06:32 . 2011-06-24 06:32 -------- d-----w- c:\program files\NortonInstaller
    2011-06-24 06:23 . 2011-06-24 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2011-06-24 06:18 . 2011-06-24 06:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault
    2011-06-24 05:55 . 2011-06-24 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\IsolatedStorage
    2011-06-24 05:55 . 2011-06-24 06:01 -------- d-----w- c:\documents and settings\Christy\Local Settings\Application Data\ID Vault
    2011-06-24 05:54 . 2011-06-14 19:24 87624 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
    2011-06-24 05:54 . 2011-06-14 19:24 1590856 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
    2011-06-24 05:54 . 2011-06-14 19:24 129608 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
    2011-06-24 05:54 . 2011-06-14 19:23 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
    2011-06-24 05:53 . 2011-06-24 06:21 -------- d-----w- c:\documents and settings\Christy\Application Data\ID Vault
    2011-06-24 05:53 . 2011-03-04 02:02 25232 ------w- c:\windows\system32\drivers\gidv2.sys
    2011-06-24 05:53 . 2011-06-24 05:53 -------- d-----w- c:\documents and settings\All Users\GID
    2011-06-24 05:53 . 2011-06-24 05:53 -------- d-----w- c:\program files\SFT
    2011-06-24 05:52 . 2011-06-24 05:54 -------- d-----w- c:\program files\Constant Guard Protection Suite
    2011-06-24 05:51 . 2011-06-24 05:51 -------- d-----w- c:\program files\MSBuild
    2011-06-24 05:46 . 2011-06-24 05:46 -------- d-----w- c:\windows\system32\XPSViewer
    2011-06-24 05:45 . 2011-06-24 05:45 -------- d-----w- c:\program files\Reference Assemblies
    2011-06-24 05:44 . 2006-10-14 23:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-06-24 05:44 . 2006-06-29 20:07 14048 ------w- c:\windows\system32\spmsg2.dll
    2011-06-23 17:45 . 2011-06-23 17:45 -------- d-----w- c:\program files\Microsoft.NET
    2011-06-23 17:22 . 2011-06-23 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\White Sky, Inc
    2011-06-23 00:06 . 2011-06-23 00:06 -------- d-----w- c:\documents and settings\Christy\Application Data\Malwarebytes
    2011-06-23 00:05 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-23 00:05 . 2011-06-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-23 00:04 . 2011-06-23 00:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-22 18:56 . 2011-06-23 05:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-06-22 11:57 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-06-21 16:54 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-06-21 16:35 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-06-08 04:42 . 2011-06-08 04:42 -------- d-----w- c:\program files\iPod
    2011-06-08 04:42 . 2011-06-08 04:43 -------- d-----w- c:\program files\iTunes
    2011-06-08 04:36 . 2011-06-08 04:36 -------- d-----w- c:\program files\Bonjour
    2011-06-07 21:25 . 2011-05-04 11:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-06-07 21:25 . 2011-05-04 11:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-07 21:11 . 2011-06-07 21:11 -------- d-----w- c:\documents and settings\Christy\Application Data\MSNInstaller
    2011-06-07 17:57 . 2011-06-07 17:57 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-06-07 17:47 . 2011-06-07 17:47 -------- d-----w- c:\documents and settings\Patrick\PrivacIE
    2011-06-07 17:46 . 2011-06-07 17:46 -------- d-----w- c:\documents and settings\Patrick\Local Settings\Application Data\Apple Computer
    2011-06-07 17:46 . 2011-06-07 17:46 -------- d-----w- c:\documents and settings\Patrick\IETldCache
    2011-06-07 03:31 . 2011-06-07 03:31 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-21 20:50 . 2011-05-26 01:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-10 15:06 . 2010-02-01 00:16 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-05-10 15:06 . 2008-06-16 23:58 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-05-04 09:25 . 2008-07-23 02:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-02 15:31 . 2004-08-04 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19 . 2004-08-04 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 15:51 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 15:51 . 2009-06-30 18:51 78336 ---ha-w- c:\windows\system32\ieencode.dll
    2011-04-25 15:51 . 2004-08-04 11:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 15:51 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-04-25 12:01 . 2004-08-04 11:00 389120 ---ha-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-04 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B84CDBE7-1B46-494B-A188-01D4C52DEB61}]
    2011-06-14 19:24 99912 ----a-w- c:\program files\Constant Guard Protection Suite\NativeBHO.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-30 68856]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 507904]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-06 421160]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-03-04 393992]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Constant Guard.lnk - c:\program files\Constant Guard Protection Suite\IDVault.exe [2011-6-14 3231816]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-30 24576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GIDLogonXP]
    2011-03-04 02:03 53528 ----a-w- c:\windows\SYSTEM32\GIDLogonXP.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2005-01-31 03:01 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Documents and Settings\\Christy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Christy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [6/24/2011 6:42 PM 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\SYSTEM32\DRIVERS\pctDS.sys [6/24/2011 6:43 PM 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\pctEFA.sys [6/24/2011 6:43 PM 656320]
    R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0501000.01D\symds.sys [6/24/2011 9:51 AM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0501000.01D\symefa.sys [6/24/2011 9:51 AM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110616.003\BHDrvx86.sys [6/16/2011 1:56 AM 810616]
    R1 GIDv2;GIDv2;c:\windows\SYSTEM32\DRIVERS\gidv2.sys [6/23/2011 10:53 PM 25232]
    R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0501000.01D\ironx86.sys [6/24/2011 9:51 AM 136312]
    R2 IDVaultSvc;CGPS Service;c:\program files\Constant Guard Protection Suite\IDVaultSvc.exe [6/14/2011 12:24 PM 60488]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [6/24/2011 9:51 AM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2011 9:52 AM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110624.050\IDSXpx86.sys [6/24/2011 7:05 PM 355256]
    S1 MpKslb4c78394;MpKslb4c78394;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE32B7A2-C83D-4F12-A229-56FFEC5525DA}\MpKslb4c78394.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE32B7A2-C83D-4F12-A229-56FFEC5525DA}\MpKslb4c78394.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 5:11 PM 136176]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/22/2011 5:05 PM 366640]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 5:11 PM 136176]
    S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [6/24/2011 6:40 PM 366840]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
    2011-03-04 02:04 433416 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2011-06-25 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-30 21:18]
    .
    2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 00:11]
    .
    2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 00:11]
    .
    2011-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3433564889-2656460755-3931638002-1005Core.job
    - c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-09 02:17]
    .
    2011-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3433564889-2656460755-3931638002-1005UA.job
    - c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-09 02:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Open Link Target in Firefox - file://c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
    IE: View This Page in Firefox - file://c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
    FF - ProfilePath - c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://sfgate.com/
    FF - Ext: Calculator: {AA052FD6-366A-4771-A591-0D8DC551585D} - %profile%\extensions\{AA052FD6-366A-4771-A591-0D8DC551585D}
    FF - Ext: ViewInFirefox: {5D558C43-550F-4b12-84AB-0D8ABDA9F975} - %profile%\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}
    FF - Ext: FormFox: formfox@daniel.steinbrook - %profile%\extensions\formfox@daniel.steinbrook
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
    FF - Ext: CuteMenus - Crystal SVG: {63df8e21-711c-4074-a257-b065cadc28d8} - %profile%\extensions\{63df8e21-711c-4074-a257-b065cadc28d8}
    FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
    FF - Ext: CacheIt!: {98449521-9320-4257-aa35-9e1a39c8cbe0} - %profile%\extensions\{98449521-9320-4257-aa35-9e1a39c8cbe0}
    FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
    FF - Ext: Red Cats (green flavor): {dd30bf68-268a-4815-ad48-8740b774c764} - %profile%\extensions\{dd30bf68-268a-4815-ad48-8740b774c764}
    FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-25 13:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(940)
    c:\windows\system32\GIDLogonXP.dll
    c:\windows\system32\GIDHookLogon.dll
    c:\windows\system32\GIDBIN1.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-06-25 13:50:51
    ComboFix-quarantined-files.txt 2011-06-25 20:50
    .
    Pre-Run: 6,826,139,648 bytes free
    Post-Run: 6,970,892,288 bytes free
    .
    - - End Of File - - ABA1408D474B897B001D525ADA55BE7E
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You didn't have to disconnect from the internet before running Combofix. The program itself would have disconnect before the scan.

    I note that you have installed PC Tools Security on 6/25. You have Norton Security running- now you have 2 antivirus programs and 2 firewalls.


    And it appears that you also installed the Constant Guard™ Protection Suite (CGPS) from Comcast on 6/24.
    You should not be downloading new programs while I'm helping you unless I instruct you to. Your first scan was 6/22. So the malware was already on the system. You cannot pile security suites on top of one another trying to find and fix the malware. Ideally, security keeps the malware out.
    ===========================================
    Can you tell me what this is please> 2011-06-24 05:53 -------- d-----w- c:\program files\SFT
    ============================================
    Before I give you any script to run, please get the security down to only one antivirus and one firewall. It's okay to have multiple antimalware programs but having multiple AV and/or FW actually makes the system more vulnerable, not less.
    ==========================================
    Please stop installing new programs unless I direct you to do so, while I am helping you. Everytime you install something new, it changes to logs.
     
  7. PalazzoTom

    PalazzoTom TS Rookie Topic Starter

    OK, rookie mistake on the virus protection/FW. I should now be down to Norton only.

    I am not sure why it looks like new programs are being loaded, I have not loaded any. I did realize that I posted the very first MAB log from 6/22, before I came here; below is the correct one from 6/24.


    >>>>Can you tell me what this is please> 2011-06-24 05:53 -------- d-----w- c:\program files\SFT<<<<<<

    I have no idea. I am retired, so 5:53 in the morning is too early for me to be working the computer.

    ****************************************************

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6927

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    6/24/2011 2:12:57 PM
    mbam-log-2011-06-24 (14-12-57).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 39774
    Time elapsed: 4 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I hope you're up, have had your coffee and are ready to tackle this. If your daughter is continuing to use the computer while I am helping clean it, she needs to stop installing new programs. The entries and dates came right from the logs.

    The programs are all legitimate. But when a new programs is added, there will be new entries in the logs which I have to account for.
    =========================================
    Sometimes we have to work to ID a process. The following helped ID this: c:\program files\SFT
    mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
    (This may be a trial. Purchase is $30.00)
    ====================================
    Tell me please if you have uninstalled PC Tools. IF so, there are some entries I want to add still on the system.
    ====================================
    Please run the following- hopefully that will finish us up:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =========================================
    Download COLORRoyalBlueuee"]HijackThis [/COLOR]and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click onthhijackthisiexexee file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread andpasteCtrlrll+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Edit: I'll get back to you on changing the underscore to make link readable.
     
  9. PalazzoTom

    PalazzoTom TS Rookie Topic Starter

    Yes, PC Tools was already uninstalled.

    Here are the next two logs:

    **********************************************
    C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\23\101a3e97-552bf6bf Java/Agent.CN trojan
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1015\A0066787.sys Win32/Olmasco.E trojan


    ***********************************************
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:39:33 AM, on 6/27/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17098)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Christy\Desktop\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
    O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1308685415186
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8930 bytes
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ======================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


    Close all Windows except HijackThis and click on "Fix Checked."
    =========================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    =======================================
    You computer is clean! Keep it that way>>>>>>>>
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
  11. PalazzoTom

    PalazzoTom TS Rookie Topic Starter

    Thank you very much. Problem solved!!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome! Stay safe.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...