Solved Wife's laptop got PUM.Hijack.Start menu

[bhanna261]

Ugh...she told me she wasn't able to connect to the internet. When I looked at her computer, I noticed Norton 360 wasn't running and I couldn't get it to start. Fortunately she had Malwarebytes previously installed and although I couldn't update the database (no connection), running it did show that she had PUM.Hijack.Startmenu. I had it cleaned but still no luck get Norton to start or connecting to the internet. (Logs below) Doing some reading, I found and ran Marwarebytes Anti-RootKit. It found 2 things including Spyware.PWS and PUM.Hijack.Startmenu again. (Logs below) From this site, I downloaded DDS and ran it. (Log below). Any help is appreciated.
-----------------------------------------
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bob H :: REGINA [administrator]

11/17/2012 9:10:17 AM
mbam-log-2012-11-17 (09-10-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229104
Time elapsed: 21 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
-----------------------------
Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org
Database version: v2012.11.03.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bob H :: REGINA [administrator]
11/19/2012 8:49:29 AM
mbar-log-2012-11-19 (08-49-29).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 28234
Time elapsed: 38 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Delete on reboot. [f1103163a1bc41f5753e30e7d1331de3]
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DFBD3C.tmp (Spyware.PWS) -> Delete on reboot. [0cf593013429c6708c6b5f7ea063eb15]
(end)
-------------------------------
DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Bob H at 9:55:03 on 2012-11-19
#Option Extended Search is enabled.
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.564 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WLService.exe
C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AGV3.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: CNavExtBho Class: {BDF3E430-B101-42AD-A544-FADC6B084872} -
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - <orphaned>
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton AntiVirus: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [KodakShareButtonApp] c:\program files\kodak\kodak share button app\Listener.exe
mRun: [ArcSoft MediaImpression Monitor] c:\program files\kodak\mediaimpression\ArcMonitor.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRunOnce: [Z1] c:\documents and settings\bob h\desktop\mbar\mbar.exe /cleanup /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://virtualkitchenshowroom.homedepot.com/VS/Core/Player/2020PlayerAX_Win32.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://slnj.mylinksyscam.com:1025/img/LinksysMLViewer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.104/NetCamPlayerWeb11gv2.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{BBFACFB2-FA12-4D1F-A203-002E71665BEF} : DHCPNameServer = 192.168.2.1 192.168.2.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1 - {9EF34FF2-3396-4527-9D27-04C8C1C67806} - c:\program files\microsoft antispyware\shellextension.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-1-30 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-1-30 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120207.003\BHDrvx86.sys [2012-2-9 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-1-30 136312]
R2 WPC55AGV3;WPC55AGV3;c:\program files\dual-band wireless a+g notebook adapter\WLService.exe [2011-7-1 41025]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2011-1-28 36224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120210.002\IDSXpx86.sys [2012-2-10 356280]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-11-19 35144]
S2 N360;Norton 360;c:\program files\norton 360\engine\5.2.0.13\ccsvchst.exe [2012-1-30 130008]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\jeannie\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\jeannie\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120210.035\NAVENG.SYS [2012-2-11 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120210.035\NAVEX15.SYS [2012-2-11 1576312]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2011-1-28 134912]
.
=============== File Associations ===============
.
ShellExec: hpqpssp.exe: Open=c:\program files\hp\digital imaging\bin\hpqpssp.exe
ShellExec: hpqpstp.exe: Open=c:\program files\hp\digital imaging\bin\hpqpstp.exe
.
=============== Created Last 60 ================
.
2012-11-19 14:45:2635144----a-w-c:\windows\system32\drivers\mbamchameleon.sys
2012-11-17 18:59:37--------d-----w-c:\windows\system32\wbem\repository\FS
2012-11-17 18:59:37--------d-----w-c:\windows\system32\wbem\Repository
2012-11-17 18:41:23--------d-----w-c:\documents and settings\bob h\local settings\application data\NPE
2012-11-17 14:09:47--------d-----w-c:\documents and settings\bob h\application data\Malwarebytes
2012-11-17 14:04:08--------d-----w-c:\documents and settings\all users\application data\PC Tools
2012-11-12 15:57:11--------d-----w-c:\program files\D-Link
2012-10-02 18:04:2158368------w-c:\windows\system32\dllcache\synceng.dll
2012-09-24 21:05:4291648----a-w-c:\windows\system32\spool\prtprocs\w32x86\hpzpp4sa.dll
2012-09-24 21:05:4138400----a-w-c:\windows\system32\hpz3l4sa.dll
2012-09-24 21:04:11286720----a-r-c:\windows\system32\HPZc3212.dll
2012-09-24 21:04:10258122----a-r-c:\windows\system32\hpovst09.dll
2012-09-24 21:04:09835072----a-r-c:\windows\system32\hpwtiop1.dll
2012-09-24 21:04:08876544----a-r-c:\windows\system32\hpwwiax1.dll
.
==================== Find6M ====================
.
2012-10-22 08:37:311866368----a-w-c:\windows\system32\win32k.sys
2012-10-02 18:04:2158368----a-w-c:\windows\system32\synceng.dll
2012-08-28 15:14:53916992----a-w-c:\windows\system32\wininet.dll
2012-08-28 15:14:5343520----a-w-c:\windows\system32\licmgr10.dll
2012-08-28 15:14:521469440------w-c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15385024----a-w-c:\windows\system32\html.iec
2012-08-24 13:53:22177664----a-w-c:\windows\system32\wintrust.dll
2012-08-21 13:29:192192896----a-w-c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:062069632----a-w-c:\windows\system32\ntkrnlpa.exe
2012-07-06 13:58:5178336----a-w-c:\windows\system32\browser.dll
2012-07-04 14:05:18139784----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-06-05 15:50:251372672----a-w-c:\windows\system32\msxml6.dll
2012-06-05 15:50:251172480----a-w-c:\windows\system32\msxml3.dll
2012-06-04 04:32:08152576----a-w-c:\windows\system32\schannel.dll
2012-06-02 19:19:4422040----a-w-c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38219160----a-w-c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:3815384----a-w-c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:3415384----a-w-c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:3017944----a-w-c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58275696----a-w-c:\windows\system32\mucltui.dll
2012-06-02 19:18:58214256----a-w-c:\windows\system32\muweb.dll
2012-06-02 19:18:5817136----a-w-c:\windows\system32\mucltui.dll.mui
2012-06-01 16:50:06601088----a-w-c:\windows\system32\crypt32.dll
2012-01-31 01:14:4438808920----a-w-c:\program files\FileFormatConverters.exe
.
============= FINISH: 9:56:11.89 ===============

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

ComboFix scan

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix


After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on ComboFix.exe & follow the prompts.
• When ComboFix finishes, it will produce a report for you.
• Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

[bhanna261]

Hi DragonMaster,

Thanks for your assistance. I am very grateful. After running the two scans, I am able to connect to the internet but I still can't get Norton 360 to open. I'm not sure what the process names are in task manager so I can't confirm whether it's running or not.

Here are the logs from the two scans.
-------------------------------------------------------------------------------
# AdwCleaner v2.008 - Logfile created 11/21/2012 at 15:31:03
# Updated 17/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Bob H - REGINA
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Bob H\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\WINDOWS\system32\conduitEngine.tmp
Folder Deleted : C:\Documents and Settings\All Users\Application Data\WeCareReminder
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\Ilivid
Folder Deleted : C:\Documents and Settings\Bob H\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Bob H\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Bob H\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Program Files\Ilivid

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\conduitEngine
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2354614
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Key Deleted : HKU\S-1-5-21-59264045-445760920-750809666-1006\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKU\S-1-5-21-59264045-445760920-750809666-1008\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [2815 octets] - [21/11/2012 15:29:28]



AdwCleaner[S1].txt - [2649 octets] - [21/11/2012 15:31:03]

########## EOF - C:\AdwCleaner[S1].txt - [2709 octets] ##########

--------------------------------------------------------------------------------------------------------
ComboFix 12-11-21.01 - Bob H 11/21/2012 16:04:45.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.551 [GMT -5:00]
Running from: c:\documents and settings\Bob H\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jeannie\g2mdlhlpx.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-21 to 2012-11-21 )))))))))))))))))))))))))))))))
.
.
2012-11-21 20:51 . 2012-11-21 20:518646----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-11-21 20:51 . 2012-11-21 20:516429----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-11-21 20:51 . 2012-11-21 20:5163115----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-11-21 20:51 . 2012-11-21 20:514599----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-11-21 20:51 . 2012-11-21 20:519310----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-11-21 20:51 . 2012-11-21 20:515927----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-11-21 20:50 . 2012-11-21 20:508613----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-11-21 20:50 . 2012-11-21 20:501651----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-11-21 20:50 . 2012-11-21 20:506910----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-11-21 20:50 . 2012-11-21 20:506208----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-11-21 20:50 . 2012-11-21 20:5018541----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-11-21 20:50 . 2012-11-21 20:508288----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-11-21 20:50 . 2012-11-21 20:5051852----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-11-21 20:50 . 2012-11-21 20:5023327----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-11-21 20:50 . 2012-11-21 20:5020719----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-11-21 20:50 . 2012-11-21 20:508782----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-11-21 20:50 . 2012-11-21 20:507271----a-w-c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-11-17 18:59 . 2012-11-17 18:59--------d-----w-c:\windows\system32\wbem\Repository
2012-11-17 18:41 . 2012-11-17 18:52--------d-----w-c:\documents and settings\Bob H\Local Settings\Application Data\NPE
2012-11-17 14:09 . 2012-11-17 14:09--------d-----w-c:\documents and settings\Bob H\Application Data\Malwarebytes
2012-11-17 14:04 . 2012-11-17 14:04--------d-----w-c:\documents and settings\All Users\Application Data\PC Tools
2012-11-12 15:57 . 2012-11-12 15:57--------d-----w-c:\program files\D-Link
2012-10-24 14:06 . 2012-11-17 18:59--------d-----w-c:\documents and settings\Guest
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-22 08:37 . 2004-08-04 08:001866368----a-w-c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2004-08-04 08:0058368----a-w-c:\windows\system32\synceng.dll
2012-08-28 15:14 . 2004-08-04 08:00916992----a-w-c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 08:0043520----a-w-c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 08:001469440------w-c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 08:00385024----a-w-c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-08-04 08:00177664----a-w-c:\windows\system32\wintrust.dll
2012-01-31 01:14 . 2011-11-15 21:1238808920----a-w-c:\program files\FileFormatConverters.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-09 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-03 98304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"KodakShareButtonApp"="c:\program files\Kodak\KODAK Share Button App\Listener.exe" [2011-01-18 107008]
"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-11-12 73728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [1/30/2012 9:53 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [1/30/2012 9:53 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120207.003\BHDrvx86.sys [2/9/2012 9:10 AM 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [1/30/2012 9:53 PM 136312]
R2 WPC55AGV3;WPC55AGV3;c:\program files\Dual-Band Wireless A+G Notebook Adapter\WLService.exe [7/1/2011 6:34 PM 41025]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [1/28/2011 9:23 AM 36224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 5:43 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120210.002\IDSXpx86.sys [2/10/2012 9:25 PM 356280]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.0.13\ccsvchst.exe [1/30/2012 9:52 PM 130008]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\Jeannie\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Jeannie\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [1/28/2011 9:23 AM 134912]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
*Deregistered* - ArcRec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
HPServiceREG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-21 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2012-01-07 19:24]
.
2012-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 14:48]
.
2012-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 14:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011}
DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD}
DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://slnj.mylinksyscam.com:1025/img/LinksysMLViewer.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.104/NetCamPlayerWeb11gv2.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{9DBB9AEB-5A16-4989-A66F-C0F1C909D647} - (no file)
AddRemove-N360 - c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\562C4DD5\5.1.0.29\InstStub.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-21 16:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?2?0?-??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
Completion time: 2012-11-21 16:16:00
ComboFix-quarantined-files.txt 2012-11-21 21:15
.
Pre-Run: 25,049,546,752 bytes free
Post-Run: 25,540,599,808 bytes free
.
- - End Of File - - 0D4CA354ADA37DE83BE989F63FADD029

 

[bhanna261]

I just downloaded and reinstalled Norton 360. It appears to be running normally and I am running a full scan.

 

[Jay Pfoutz]

Sorry for delay. I just came back from my short vacation.

TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

 

[bhanna261]

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
----------------------------------------------------------------------------

Kaspersky log.zip is attched

 

[Jay Pfoutz]

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.

 

[bhanna261]

Here's the MBAR log. In addition, for some reason, auto-protect on Norton 360 is off and I can't get it to restart. Laptop was on overnight but no one was using it. I'm going to try reinstalling Norton again.

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org
Database version: v2012.11.25.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bob H :: REGINA [administrator]
11/25/2012 8:57:59 AM
mbar-log-2012-11-25 (08-57-59).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27115
Time elapsed: 25 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[Jay Pfoutz]

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

 

[bhanna261]

ESET showed no threats.

Here's the log from MalwareBytes:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.28.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bob H :: REGINA [administrator]
11/27/2012 8:03:19 PM
mbam-log-2012-11-27 (20-03-19).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 263925
Time elapsed: 10 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[Jay Pfoutz]

Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

• Double-click the CCleaner shortcut on the desktop to start the program.
• A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
• On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
• Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[bhanna261]

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Please wait while WMIC is being installed.d
I
s
p
l
a
y
N
a
m
e
ECHO is off.
N
o
r
t
o
n
ECHO is off.
3
6
0
ECHO is off.
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Java(TM) 6 Update 13
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 1%
````````````````````End of Log``````````````````````

 

[Jay Pfoutz]

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.


Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Personal Tips on Preventing Malware

See this page for more info about malware and prevention.


Any other questions before I mark this topic solved?

 

[bhanna261]

The three updates have been installed (and all prior versions removed). I appreciate your help and suspect you have done all you can. Unfortunately, something keeps turning Norton auto-protect off and nothing can get it to restart short of uninstalling and reinstalling Norton, which I've done 3 times. Sadly, I fear this laptop is fubar'd. Thanks for your assistance.

 

[Jay Pfoutz]

From what it sounds like, it could be a licensing problem with Symantec/Norton, or some other security software is interfering. You should have free tech support with Norton, so contact them as soon as possible and at all occurrences of impossible situations (where uninstall and reinstall a couple times doesn't work).

If you keep having to re-enter your product key and it verifying with the check server that it's legitimate, the check server will flag it, and you may lose the chance to keep the Norton product on your system. So, it's important to contact them, if you keep having to reinstall it.

Topic marked solved. Best of luck.