Solved Yet another Google redirect problem

Status
Not open for further replies.
P

PalazzoTom

Posts: 6   +0
Hi folks,

I am working on my daughter's laptop after she told me about the redirect problem. I found she had no virus or malware protection. I loaded and ran Norton, MS Essentials, Spy Doctor, and MalwareBytes without any improvement.

Following are the logs from MBAM, GMER, and DDS. I will standby awaiting your sage instructions.

Many thanks to those of you that freely give of your time and expertise.

Tom



******************************

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6923

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/22/2011 5:21:00 PM
mbam-log-2011-06-22 (17-21-00).txt

Scan type: Quick scan
Objects scanned: 180486
Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

**********************

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-24 23:16:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 rev.
Running: 2u1i9kwk.exe; Driver: C:\DOCUME~1\Christy\LOCALS~1\Temp\fflyapod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 8A145E7A
Thread System [4:128] 8A148008

---- EOF - GMER 1.0.15 ----


******************************

.DDS.txt


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Christy at 23:34:55 on 2011-06-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.462 [GMT -7:00]
.
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SFT\GuardedID\gidd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\PC Tools Security\pctsGui.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - c:\program files\constant guard protection suite\NativeBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\christy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [<NO NAME>]
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Open Link Target in Firefox - file://c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1308685415186
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GIDLogonXP - GIDLogonXP.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://sfgate.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\white sky, inc\id vault\xpcom3\components\IdVault.XPCOM3.dll
FF - component: c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\christy\application data\mozilla\firefox\profiles\fq8zfcwt.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\documents and settings\christy\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\christy\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\christy\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\christy\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Calculator: {AA052FD6-366A-4771-A591-0D8DC551585D} - %profile%\extensions\{AA052FD6-366A-4771-A591-0D8DC551585D}
FF - Ext: ViewInFirefox: {5D558C43-550F-4b12-84AB-0D8ABDA9F975} - %profile%\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}
FF - Ext: FormFox: formfox@daniel.steinbrook - %profile%\extensions\formfox@daniel.steinbrook
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: CuteMenus - Crystal SVG: {63df8e21-711c-4074-a257-b065cadc28d8} - %profile%\extensions\{63df8e21-711c-4074-a257-b065cadc28d8}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: CacheIt!: {98449521-9320-4257-aa35-9e1a39c8cbe0} - %profile%\extensions\{98449521-9320-4257-aa35-9e1a39c8cbe0}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: Red Cats (green flavor): {dd30bf68-268a-4815-ad48-8740b774c764} - %profile%\extensions\{dd30bf68-268a-4815-ad48-8740b774c764}
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coFFPlgn
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-6-24 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-6-24 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-6-24 656320]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-6-24 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-6-24 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110616.003\BHDrvx86.sys [2011-6-16 810616]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-6-23 25232]
R1 MpKslf514b9da;MpKslf514b9da;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1061d659-ded2-4ac1-aa5a-4afac5295556}\mpkslf514b9da.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1061d659-ded2-4ac1-aa5a-4afac5295556}\MpKslf514b9da.sys [?]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-6-24 136312]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-6-24 130008]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-6-24 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-6-24 1150936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-6-24 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110624.050\IDSXpx86.sys [2011-6-24 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110624.020\NAVENG.SYS [2011-6-24 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110624.020\NAVEX15.SYS [2011-6-24 1542392]
S1 MpKslb4c78394;MpKslb4c78394;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be32b7a2-c83d-4f12-a229-56ffec5525da}\mpkslb4c78394.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be32b7a2-c83d-4f12-a229-56ffec5525da}\MpKslb4c78394.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]
S2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2011-6-14 60488]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-22 366640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-25 06:11:54 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-06-25 01:43:23 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-06-25 01:43:22 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-06-25 01:43:11 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-06-25 01:42:48 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-06-25 01:42:48 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-06-25 01:41:28 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-06-25 01:39:48 -------- d-----w- c:\program files\common files\PC Tools
2011-06-25 01:39:47 -------- d-----w- c:\program files\PC Tools Security
2011-06-25 01:39:47 -------- d-----w- c:\documents and settings\christy\application data\PC Tools
2011-06-25 01:39:47 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-06-24 16:51:46 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
2011-06-24 16:51:46 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-06-24 16:51:46 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-06-24 16:51:45 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-06-24 16:51:45 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-06-24 16:51:44 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-06-24 16:51:44 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-06-24 16:51:44 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-06-24 16:50:39 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-06-24 16:42:50 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-24 16:42:50 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-06-24 16:42:49 -------- d-----w- c:\program files\Symantec
2011-06-24 16:42:49 -------- d-----w- c:\program files\common files\Symantec Shared
2011-06-24 16:41:46 -------- d-----w- c:\windows\system32\drivers\N360
2011-06-24 16:41:42 -------- d-----w- c:\program files\Norton Security Suite
2011-06-24 06:32:54 -------- d-----w- c:\program files\NortonInstaller
2011-06-24 06:32:54 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2011-06-24 06:23:02 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-06-24 05:55:20 -------- d-----w- c:\documents and settings\all users\application data\IsolatedStorage
2011-06-24 05:55:11 -------- d-----w- c:\documents and settings\christy\local settings\application data\ID Vault
2011-06-24 05:54:03 87624 ----a-w- c:\program files\mozilla firefox\IdVaultCore.XmlSerializers.dll
2011-06-24 05:54:03 8007680 ----a-w- c:\program files\mozilla firefox\Microsoft.mshtml.dll
2011-06-24 05:54:03 1590856 ----a-w- c:\program files\mozilla firefox\IdVaultCore.dll
2011-06-24 05:54:03 129608 ----a-w- c:\program files\mozilla firefox\CommonDotNET.dll
2011-06-24 05:53:54 -------- d-----w- c:\documents and settings\christy\application data\ID Vault
2011-06-24 05:53:37 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2011-06-24 05:53:18 -------- d-----w- c:\documents and settings\all users\GID
2011-06-24 05:53:09 -------- d-----w- c:\program files\SFT
2011-06-24 05:52:36 -------- d-----w- c:\program files\Constant Guard Protection Suite
2011-06-24 05:46:08 -------- d-----w- c:\windows\system32\XPSViewer
2011-06-24 05:44:44 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-24 05:44:17 14048 ------w- c:\windows\system32\spmsg2.dll
2011-06-23 17:22:29 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
2011-06-23 00:06:25 -------- d-----w- c:\documents and settings\christy\application data\Malwarebytes
2011-06-23 00:05:03 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 00:05:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-23 00:04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-22 18:56:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-22 11:57:20 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-22 11:57:20 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-06-21 16:54:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-21 16:35:18 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-08 04:42:42 -------- d-----w- c:\program files\iPod
2011-06-08 04:42:37 -------- d-----w- c:\program files\iTunes
2011-06-08 04:36:12 -------- d-----w- c:\program files\Bonjour
2011-06-07 21:25:36 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-06-07 21:25:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-07 21:11:27 -------- d-----w- c:\documents and settings\christy\application data\MSNInstaller
2011-06-07 17:57:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-07 17:57:50 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-06-21 20:50:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 15:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 15:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ---ha-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A1411ED]<<
_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; CMP DWORD [EAX+0x2c], 0x7; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; PUSH EDI; MOV EDI, [EBX+0x60]; JNZ 0xf7; MOV ESI, [EDI+0x4]; MOV EAX, [ESI+0xc]; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A1CF4F8]
3 CLASSPNP[0xF76B7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\000000ab[0x8A1FC9E8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8A1ED940]
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
detected hooks:
\Driver\atapi -> 0x8a1411ed
user != kernel MBR !!!
Warning: possible MBR rootkit infection !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 23:35:55.07 ===============

*************************

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/7/2005 9:30:11 PM
System Uptime: 6/24/2011 6:21:45 PM (5 hours ago)
.
Motherboard: DELL SYSTEM | | Inspiron 700m
Processor: Intel(R) Pentium(R) M processor 1.60GHz | U1 | 598/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 34 GiB total, 6.397 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1007: 6/21/2011 12:58:50 PM - Software Distribution Service 3.0
RP1008: 6/21/2011 6:37:10 PM - Removed Java(TM) 6 Update 7
RP1009: 6/22/2011 10:49:03 AM - Software Distribution Service 3.0
RP1010: 6/23/2011 11:26:33 AM - Software Distribution Service 3.0
RP1011: 6/23/2011 10:44:17 PM - Installed %1 %2.
RP1012: 6/23/2011 10:44:34 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1013: 6/24/2011 12:37:17 PM - Software Distribution Service 3.0
RP1014: 6/24/2011 1:42:09 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Amazon MP3 Downloader 1.0.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
Bonjour
Broadcom Management Programs
Conexant D480 MDC V.9x Modem
Constant Guard Protection Suite
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
Dell Networking Guide
Dell Picture Studio v3.0
Dell System Restore
Dell Wireless WLAN Utility
DellSupport
Digital Line Detect
Foxit PDF Editor
Foxit Reader
FoxyTunes for Firefox
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GuardedID
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java Auto Updater
Java(TM) 6 Update 26
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox (3.6.18)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
My Way Search Assistant
NetWaiting
Norton Security Suite
PCIxx20
Photo Click
PowerDVD 5.1
QuickTime
RealPlayer Basic
SCRABBLE
Scrabble (remove only)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Toolbars
Skype™ 5.1
Spybot - Search & Destroy
Spyware Doctor with AntiVirus 8.0
Synaptics Pointing Device Driver
Texas Instruments PCIxx20 drivers.
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WordPerfect Office 12
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
6/24/2011 6:23:56 PM, error: Service Control Manager [7000] - The CGPS Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/24/2011 6:23:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CGPS Service service to connect.
6/24/2011 6:22:56 PM, error: Dhcp [1002] - The IP address lease 192.168.0.139 for the Network Card with network address 000B7D16E4AA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
6/24/2011 10:05:15 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TOM-LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C5618145-AC2E-462. The master browser is stopping or an election is being forced.
6/23/2011 9:53:27 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
6/23/2011 9:50:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
6/23/2011 12:37:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ALG with arguments "" in order to run the server: {D6015EC3-FA16-4813-9CA1-DA204574F5DA}
6/23/2011 12:36:52 PM, error: Tcpip [4198] - The system detected an address conflict for IP address 192.168.0.1 with the system having network hardware address 00:1B:11:4B:83:21. The local interface has been disabled.
6/22/2011 5:25:29 PM, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
6/22/2011 5:25:29 PM, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
6/21/2011 12:33:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/21/2011 12:04:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
6/21/2011 12:03:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
6/21/2011 12:01:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/21/2011 12:00:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 12:00:19 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================
 
Good Morning and welcome to TechSpot! I'll help with the malware.

Edit: Please go to Add/Remove Programs and uninstall My Way Search Assistant. Then right click on the Taskbar> Explore> My Computer> Double click on Local Drive(C)> Programs> Look for the Program folder for My Way Search Assistant and do a right click> Delete.

There appears to be a rootkit infection so please do the following:
Please download MBRCheck and save to your desktop
  • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    [o] Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    [o] Found non-standard or infected MBR.
    [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Paste this log to your next message.
=========================================
When you have finished with the scan above, please go on to the following:
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

Please leave both logs in your next reply.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Thank you Bobbye.

I see the "My Search Assistant" in the DDS log as did you, however it does not appear in the Add/Delete Programs or Program Files.

As per the instructions I have not moved to the next step. Will await your direction.
 
Okay to go on to the MBR scan, followed by Combofix. I should be able to remove MySearchAssistant with script I'll have you run through Combofix. She had the My WebSearch malware entries that were removed in Mbam.

You might want to pass on to her that she should avoid the Fun Web Products[/b[ and related sites. User go to that site to get 'cute' cursors, wallpaper,screen savers, Smileys, etc. But all that free stuff come with a price of malware to their systems. If you notice any of the following in All Programs or Add/Remove Programs, okay to remove:
# My Web Search (Smiley Central or FWP product as applicable)
# My Way Speedbar (Smiley Central or other FWP as applicable)
# My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
# My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
# Search Assistant - My Way
Click to expand...

I'll have you run HijackThis at the end to make sure we've removed all bad entries.
 
Below are the MBR and Combo fix logs.

A couple of things to be aware:

I had taken the PC off-line during Combofix and was unable to successfully complete the install of the recovery console.

When attempting to start Firefox following the reboot, an error message regarding "unable to load C++ file (didn't write it down) ". Firefox opened normally. Attempt to type created characters different than the keys being pressed. Resolved itself after another reboot.

Logs:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 192):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 cmdide.sys
0xF798D000 aliide.sys
0xF798F000 toside.sys
0xF7991000 viaide.sys
0xF7993000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7607000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF7494000 dmio.sys
0xF770F000 PartMgr.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7617000 VolSnap.sys
0xF78A7000 cpqarray.sys
0xF747C000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7464000 atapi.sys
0xF78AB000 aha154x.sys
0xF7717000 sparrow.sys
0xF78AF000 symc810.sys
0xF7627000 aic78xx.sys
0xF78B3000 dac960nt.sys
0xF7637000 ql10wnt.sys
0xF78B7000 amsint.sys
0xF771F000 asc.sys
0xF78BB000 asc3550.sys
0xF7727000 mraid35x.sys
0xF772F000 i2omp.sys
0xF78BF000 ini910u.sys
0xF7647000 ql1240.sys
0xF7657000 aic78u2.sys
0xF7737000 symc8xx.sys
0xF773F000 sym_hi.sys
0xF7747000 sym_u3.sys
0xF774F000 ABP480N5.SYS
0xF7757000 asc3350p.sys
0xF7995000 cd20xrnt.sys
0xF7667000 ultra.sys
0xF786E000 adpu160m.sys
0xF775F000 dpti2o.sys
0xF7677000 ql1080.sys
0xF7687000 ql1280.sys
0xF7697000 ql12160.sys
0xF7767000 perc2.sys
0xF7997000 perc2hib.sys
0xF776F000 hpn.sys
0xF78C3000 cbidf2k.sys
0xF7842000 dac2w2k.sys
0xF76A7000 disk.sys
0xF76B7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7967000 fltmgr.sys
0xF7B88000 SYMDS.SYS
0xF7830000 sr.sys
0xF7ACD000 SYMEFA.SYS
0xF7777000 PxHelp20.sys
0xF7950000 KSecDD.sys
0xBA773000 Ntfs.sys
0xBA746000 NDIS.sys
0xF76C7000 sisagp.sys
0xF76D7000 viaagp.sys
0xF76E7000 ohci1394.sys
0xF76F7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA68C000 Mup.sys
0xF7587000 agp440.sys
0xF7577000 alim1541.sys
0xF7567000 amdagp.sys
0xF7557000 agpCPQ.sys
0xF7527000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA716000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA5E7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9342000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB932E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9606000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB930A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB95FE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB92BD000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB92AC000 \SystemRoot\system32\drivers\tifm.sys
0xBA706000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB9298000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA6F6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB95F6000 \SystemRoot\System32\Drivers\GIDv2.SYS
0xB95EE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB926B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79E9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB95E6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA6E6000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA1FE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1EE000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9248000 \SystemRoot\system32\DRIVERS\ks.sys
0xB95DE000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB9207000 \SystemRoot\system32\drivers\stac97.sys
0xB91E3000 \SystemRoot\system32\drivers\portcls.sys
0xBA1DE000 \SystemRoot\system32\drivers\drmk.sys
0xB91B2000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xB90B3000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB900D000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xB95D6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A88000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1CE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5E3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8FF6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1BE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1AE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB95CE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8FE5000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA19E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB95C6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB95BE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8FB5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA18E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79EF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8F57000 \SystemRoot\system32\DRIVERS\update.sys
0xBA56A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\omci.sys
0xBA17E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA6B6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA607000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAC516000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB0278000 \SystemRoot\System32\Drivers\Null.SYS
0xAC57E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA83D6000 \SystemRoot\System32\drivers\vga.sys
0xAC50C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xAC580000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA83CE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA83C6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAFDEA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA70ED000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA7094000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA703B000 \SystemRoot\System32\Drivers\N360\0501000.01D\SYMTDI.SYS
0xA7015000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA86D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA6FEF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA86C8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA6F6D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA6F4B000 \SystemRoot\System32\drivers\afd.sys
0xA7EAC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA6F27000 \SystemRoot\system32\drivers\N360\0501000.01D\Ironx86.SYS
0xA7E5C000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSPX.SYS
0xA6EFC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA6E8C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA592000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1061D659-DED2-4AC1-AA5A-4AFAC5295556}\MpKslf514b9da.sys
0xA7E1C000 \SystemRoot\System32\Drivers\Fips.SYS
0xA6E2E000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA6E10000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA6D46000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110616.003\BHDrvx86.sys
0xABB54000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA6D2E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA5EF000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7807000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB027D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
0xBF119000 \SystemRoot\System32\ATMFD.DLL
0xAC542000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
0xA8B40000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA6BB1000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8F43000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6A96000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79D3000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA83F0000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xA6A82000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA68D6000 \SystemRoot\system32\DRIVERS\srv.sys
0xA6255000 \SystemRoot\System32\Drivers\HTTP.sys
0xA6014000 \SystemRoot\System32\Drivers\N360\0501000.01D\SRTSP.SYS
0xA58DF000 \SystemRoot\system32\drivers\pctDS.sys
0xA583A000 \SystemRoot\system32\drivers\pctEFA.sys
0xA57FD000 \SystemRoot\system32\drivers\PCTCore.sys
0xA5E51000 \??\C:\Program Files\PC Tools Security\PCTSDInj32.sys
0xA54FD000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110624.050\IDSxpx86.sys
0xA50BD000 \??\C:\DOCUME~1\Christy\LOCALS~1\Temp\fflyapod.sys
0xA96A7000 \??\C:\DOCUME~1\Christy\LOCALS~1\Temp\mbr.sys
0xF79A1000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0xA4942000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110625.002\NAVEX15.SYS
0xA492E000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110625.002\NAVENG.SYS
0xA48B3000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
844 C:\WINDOWS\SYSTEM32\smss.exe
920 csrss.exe
948 C:\WINDOWS\SYSTEM32\winlogon.exe
992 C:\WINDOWS\SYSTEM32\services.exe
1004 C:\WINDOWS\SYSTEM32\lsass.exe
1172 C:\WINDOWS\SYSTEM32\svchost.exe
1252 svchost.exe
1368 C:\WINDOWS\SYSTEM32\svchost.exe
1532 svchost.exe
1584 svchost.exe
1956 C:\WINDOWS\SYSTEM32\spoolsv.exe
1224 C:\WINDOWS\explorer.exe
2020 svchost.exe
252 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
420 C:\Program Files\Bonjour\mDNSResponder.exe
784 PresentationFontCache.exe
724 C:\WINDOWS\SYSTEM32\ctfmon.exe
1464 C:\WINDOWS\SYSTEM32\hkcmd.exe
1516 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
1728 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1736 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2308 C:\Program Files\Java\jre6\bin\jqs.exe
2408 C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
2492 C:\WINDOWS\SYSTEM32\svchost.exe
2592 C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
2724 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
2772 C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
3252 C:\Program Files\iTunes\iTunesHelper.exe
3660 C:\Program Files\SFT\GuardedID\GIDD.exe
3836 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
732 C:\Program Files\Constant Guard Protection Suite\IDVault.exe
744 C:\Program Files\Digital Line Detect\DLG.exe
2944 C:\Program Files\iPod\bin\iPodService.exe
1452 alg.exe
2100 C:\WINDOWS\SYSTEM32\svchost.exe
2472 C:\Program Files\Internet Explorer\iexplore.exe
2248 C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
3976 C:\Program Files\PC Tools Security\pctsAuxs.exe
1416 C:\Program Files\PC Tools Security\pctsSvc.exe
2416 C:\Program Files\PC Tools Security\pctsGui.exe
2108 C:\WINDOWS\SYSTEM32\wuauclt.exe
5432 C:\Documents and Settings\Christy\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK4026GAX, Rev: PA102D

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


Done!



*********************

ComboFix 11-06-25.03 - Christy 06/25/2011 13:38:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.831 [GMT -7:00]
Running from: c:\documents and settings\Christy\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
.
.
2011-06-25 06:11 . 2011-06-25 06:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-06-25 01:43 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-06-25 01:43 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-06-25 01:43 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-06-25 01:42 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-06-25 01:42 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-06-25 01:41 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-06-25 01:39 . 2011-06-25 01:44 -------- d-----w- c:\program files\Common Files\PC Tools
2011-06-25 01:39 . 2011-06-25 05:46 -------- d-----w- c:\program files\PC Tools Security
2011-06-25 01:39 . 2011-06-25 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-06-25 01:39 . 2011-06-25 01:39 -------- d-----w- c:\documents and settings\Christy\Application Data\PC Tools
2011-06-24 16:42 . 2011-06-24 16:51 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-24 16:42 . 2011-06-24 16:51 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-06-24 16:42 . 2011-06-24 16:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-06-24 16:42 . 2011-06-24 16:51 -------- d-----w- c:\program files\Symantec
2011-06-24 16:41 . 2011-06-24 20:32 -------- d-----w- c:\windows\system32\drivers\N360
2011-06-24 16:41 . 2011-06-24 16:41 -------- d-----w- c:\program files\Norton Security Suite
2011-06-24 16:41 . 2011-06-24 16:41 -------- d-----w- c:\program files\Windows Sidebar
2011-06-24 06:32 . 2011-06-24 06:32 -------- d-----w- c:\program files\NortonInstaller
2011-06-24 06:23 . 2011-06-24 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-06-24 06:18 . 2011-06-24 06:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault
2011-06-24 05:55 . 2011-06-24 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\IsolatedStorage
2011-06-24 05:55 . 2011-06-24 06:01 -------- d-----w- c:\documents and settings\Christy\Local Settings\Application Data\ID Vault
2011-06-24 05:54 . 2011-06-14 19:24 87624 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
2011-06-24 05:54 . 2011-06-14 19:24 1590856 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
2011-06-24 05:54 . 2011-06-14 19:24 129608 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
2011-06-24 05:54 . 2011-06-14 19:23 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
2011-06-24 05:53 . 2011-06-24 06:21 -------- d-----w- c:\documents and settings\Christy\Application Data\ID Vault
2011-06-24 05:53 . 2011-03-04 02:02 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2011-06-24 05:53 . 2011-06-24 05:53 -------- d-----w- c:\documents and settings\All Users\GID
2011-06-24 05:53 . 2011-06-24 05:53 -------- d-----w- c:\program files\SFT
2011-06-24 05:52 . 2011-06-24 05:54 -------- d-----w- c:\program files\Constant Guard Protection Suite
2011-06-24 05:51 . 2011-06-24 05:51 -------- d-----w- c:\program files\MSBuild
2011-06-24 05:46 . 2011-06-24 05:46 -------- d-----w- c:\windows\system32\XPSViewer
2011-06-24 05:45 . 2011-06-24 05:45 -------- d-----w- c:\program files\Reference Assemblies
2011-06-24 05:44 . 2006-10-14 23:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-24 05:44 . 2006-06-29 20:07 14048 ------w- c:\windows\system32\spmsg2.dll
2011-06-23 17:45 . 2011-06-23 17:45 -------- d-----w- c:\program files\Microsoft.NET
2011-06-23 17:22 . 2011-06-23 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\White Sky, Inc
2011-06-23 00:06 . 2011-06-23 00:06 -------- d-----w- c:\documents and settings\Christy\Application Data\Malwarebytes
2011-06-23 00:05 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-23 00:05 . 2011-06-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-23 00:04 . 2011-06-23 00:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-22 18:56 . 2011-06-23 05:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-22 11:57 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-21 16:54 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-21 16:35 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-08 04:42 . 2011-06-08 04:42 -------- d-----w- c:\program files\iPod
2011-06-08 04:42 . 2011-06-08 04:43 -------- d-----w- c:\program files\iTunes
2011-06-08 04:36 . 2011-06-08 04:36 -------- d-----w- c:\program files\Bonjour
2011-06-07 21:25 . 2011-05-04 11:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-07 21:25 . 2011-05-04 11:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-07 21:11 . 2011-06-07 21:11 -------- d-----w- c:\documents and settings\Christy\Application Data\MSNInstaller
2011-06-07 17:57 . 2011-06-07 17:57 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-07 17:47 . 2011-06-07 17:47 -------- d-----w- c:\documents and settings\Patrick\PrivacIE
2011-06-07 17:46 . 2011-06-07 17:46 -------- d-----w- c:\documents and settings\Patrick\Local Settings\Application Data\Apple Computer
2011-06-07 17:46 . 2011-06-07 17:46 -------- d-----w- c:\documents and settings\Patrick\IETldCache
2011-06-07 03:31 . 2011-06-07 03:31 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 20:50 . 2011-05-26 01:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 15:06 . 2010-02-01 00:16 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 15:06 . 2008-06-16 23:58 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 09:25 . 2008-07-23 02:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-04 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2004-08-04 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2009-06-30 18:51 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2004-08-04 11:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-04 11:00 389120 ---ha-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B84CDBE7-1B46-494B-A188-01D4C52DEB61}]
2011-06-14 19:24 99912 ----a-w- c:\program files\Constant Guard Protection Suite\NativeBHO.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-30 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 507904]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-06 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-03-04 393992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Constant Guard.lnk - c:\program files\Constant Guard Protection Suite\IDVault.exe [2011-6-14 3231816]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-30 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GIDLogonXP]
2011-03-04 02:03 53528 ----a-w- c:\windows\SYSTEM32\GIDLogonXP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-01-31 03:01 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Christy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Christy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [6/24/2011 6:42 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\SYSTEM32\DRIVERS\pctDS.sys [6/24/2011 6:43 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\pctEFA.sys [6/24/2011 6:43 PM 656320]
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0501000.01D\symds.sys [6/24/2011 9:51 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0501000.01D\symefa.sys [6/24/2011 9:51 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110616.003\BHDrvx86.sys [6/16/2011 1:56 AM 810616]
R1 GIDv2;GIDv2;c:\windows\SYSTEM32\DRIVERS\gidv2.sys [6/23/2011 10:53 PM 25232]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0501000.01D\ironx86.sys [6/24/2011 9:51 AM 136312]
R2 IDVaultSvc;CGPS Service;c:\program files\Constant Guard Protection Suite\IDVaultSvc.exe [6/14/2011 12:24 PM 60488]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [6/24/2011 9:51 AM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2011 9:52 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110624.050\IDSXpx86.sys [6/24/2011 7:05 PM 355256]
S1 MpKslb4c78394;MpKslb4c78394;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE32B7A2-C83D-4F12-A229-56FFEC5525DA}\MpKslb4c78394.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE32B7A2-C83D-4F12-A229-56FFEC5525DA}\MpKslb4c78394.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 5:11 PM 136176]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/22/2011 5:05 PM 366640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 5:11 PM 136176]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [6/24/2011 6:40 PM 366840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-03-04 02:04 433416 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-06-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-30 21:18]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 00:11]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 00:11]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3433564889-2656460755-3931638002-1005Core.job
- c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-09 02:17]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3433564889-2656460755-3931638002-1005UA.job
- c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-09 02:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Open Link Target in Firefox - file://c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
FF - ProfilePath - c:\documents and settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://sfgate.com/
FF - Ext: Calculator: {AA052FD6-366A-4771-A591-0D8DC551585D} - %profile%\extensions\{AA052FD6-366A-4771-A591-0D8DC551585D}
FF - Ext: ViewInFirefox: {5D558C43-550F-4b12-84AB-0D8ABDA9F975} - %profile%\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}
FF - Ext: FormFox: formfox@daniel.steinbrook - %profile%\extensions\formfox@daniel.steinbrook
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: CuteMenus - Crystal SVG: {63df8e21-711c-4074-a257-b065cadc28d8} - %profile%\extensions\{63df8e21-711c-4074-a257-b065cadc28d8}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: CacheIt!: {98449521-9320-4257-aa35-9e1a39c8cbe0} - %profile%\extensions\{98449521-9320-4257-aa35-9e1a39c8cbe0}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: Red Cats (green flavor): {dd30bf68-268a-4815-ad48-8740b774c764} - %profile%\extensions\{dd30bf68-268a-4815-ad48-8740b774c764}
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-25 13:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\GIDLogonXP.dll
c:\windows\system32\GIDHookLogon.dll
c:\windows\system32\GIDBIN1.dll
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-25 13:50:51
ComboFix-quarantined-files.txt 2011-06-25 20:50
.
Pre-Run: 6,826,139,648 bytes free
Post-Run: 6,970,892,288 bytes free
.
- - End Of File - - ABA1408D474B897B001D525ADA55BE7E
 
You didn't have to disconnect from the internet before running Combofix. The program itself would have disconnect before the scan.

I note that you have installed PC Tools Security on 6/25. You have Norton Security running- now you have 2 antivirus programs and 2 firewalls.
2011-06-24 16:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
c:\program files\Symantec
c:\windows\system32\drivers\N360
c:\program files\Norton Security Suite
Click to expand...
2011-06-25 01:44 -------- d-----w- c:\program files\Common Files\PC Tools
c:\program files\PC Tools Security
c:\documents and settings\All Users\Application Data\PC Tools
c:\documents and settings\Christy\Application Data\PC Tools
Click to expand...
All-In-One PC Security
PC Tools Internet Security Suite offers powerful antispyware, antivirus, firewall and spam protection in one easy-to-use application.
Click to expand...


And it appears that you also installed the Constant Guard™ Protection Suite (CGPS) from Comcast on 6/24.
This is a desktop application that provides comprehensive personal protection from malicious software (bots), phishing, pharming, spyware, keystroke loggers and other online fraud schemes designed to steal personal information and identities for financial gain.
Click to expand...

You should not be downloading new programs while I'm helping you unless I instruct you to. Your first scan was 6/22. So the malware was already on the system. You cannot pile security suites on top of one another trying to find and fix the malware. Ideally, security keeps the malware out.
===========================================
Can you tell me what this is please> 2011-06-24 05:53 -------- d-----w- c:\program files\SFT
============================================
Before I give you any script to run, please get the security down to only one antivirus and one firewall. It's okay to have multiple antimalware programs but having multiple AV and/or FW actually makes the system more vulnerable, not less.
==========================================
Please stop installing new programs unless I direct you to do so, while I am helping you. Everytime you install something new, it changes to logs.
 
OK, rookie mistake on the virus protection/FW. I should now be down to Norton only.

I am not sure why it looks like new programs are being loaded, I have not loaded any. I did realize that I posted the very first MAB log from 6/22, before I came here; below is the correct one from 6/24.


>>>>Can you tell me what this is please> 2011-06-24 05:53 -------- d-----w- c:\program files\SFT<<<<<<

I have no idea. I am retired, so 5:53 in the morning is too early for me to be working the computer.

****************************************************

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6927

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/24/2011 2:12:57 PM
mbam-log-2011-06-24 (14-12-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 39774
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
I am not sure why it looks like new programs are being loaded, I have not loaded any
Click to expand...

I hope you're up, have had your coffee and are ready to tackle this. If your daughter is continuing to use the computer while I am helping clean it, she needs to stop installing new programs. The entries and dates came right from the logs.

The programs are all legitimate. But when a new programs is added, there will be new entries in the logs which I have to account for.
=========================================
Sometimes we have to work to ID a process. The following helped ID this: c:\program files\SFT
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
(This may be a trial. Purchase is $30.00)
====================================
Tell me please if you have uninstalled PC Tools. IF so, there are some entries I want to add still on the system.
====================================
Please run the following- hopefully that will finish us up:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=========================================
Download COLORRoyalBlueuee"]HijackThis [/COLOR]http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click onthhijackthisiexexee file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread andpasteCtrlrll+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Edit: I'll get back to you on changing the underscore to make link readable.
 
Yes, PC Tools was already uninstalled.

Here are the next two logs:

**********************************************
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\23\101a3e97-552bf6bf Java/Agent.CN trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1015\A0066787.sys Win32/Olmasco.E trojan


***********************************************
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:39:33 AM, on 6/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17098)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Christy\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\fq8zfcwt.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1308685415186
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8930 bytes
 
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
======================================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Close all Windows except HijackThis and click on "Fix Checked."
=========================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
=======================================
You computer is clean! Keep it that way>>>>>>>>
Tips for added security and safer browsing: (Links are in Bold Blue)
  1. Browser Security
    [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
    [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
    [o] Replace the Host Files
    [o] Google Toolbar Pop Up Blocker
    [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
  2. Have layered Security:
    [o]Antivirus :(only one):Both of the following programs are free and known to be good:
    [o]Avira-AntiVir-Personal-Free-Antivirus
    [o] [o]Avast-Free Antivirus
    [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm
  3. Antimalware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
    [o]Spybot Search & Destroy
  4. Updates: Stay current:
    [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
    [o]Adobe Reader Install current, uninstall old.
    [o]Java Updates Install current, uninstall old.
  5. Tracking Cookies
    Reset Cookie:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  6. Do regular Maintenance
    [o] Temporary File Cleaner
  7. Restore Points:
    [o]See System Restore Guide
  8. Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Please let me know if you find any bad link.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
792
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back