My laptop is redirecting Google clicks to odd search sites (or antivirus ads). I'm also getting TONS of Vimax ads (not that I'm insecure or anything). A porn site said I was infected with 'troj/rustok-N' and wouldn't allow me to access their video files.

Here's my cut & pasted DDS report, along with the requested attached files (attach.txt and ark.txt). Root Repeal (which I ran in SAFE MODE) would only work on its 'second' Disk setting, not its default (or even 'high') settings.

Many thanks for your assistance!!

DDS (Ver_09-07-30.01) - NTFSx86
Run by BDF at 9:30:44.85 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.97 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\BDF\Local Settings\Temporary Internet Files\Content.IE5\96XDHR0T\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.earthlink.net
uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uDefault_Page_URL = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearch Bar = hxxp://start.earthlink.net/AL/Search
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
BHO: ElnkBhoGuard Class: {00000000-0000-0000-0000-000000000002} - c:\program files\earthlink totalaccess\toolbar\EScamBlk.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ElnkScamBHO Class: {15f4d456-5baa-4076-8486-eecb38cd3e57} - c:\program files\earthlink totalaccess\toolbar\EScamBlk.dll
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\ElnkPuB.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\ProtctIE.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\uninsttb.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\Toolbar.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {74DD705D-6834-439C-A735-A6DBE2677452} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [system tool] c:\program files\tusqek\upihsysguard.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [system tool] c:\program files\tusqek\upihsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\earthlink totalaccess\toolbar\SearchUI.dll/search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140411847125
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.158,85.255.112.86
TCP: {E141885F-20D7-47B6-A46C-303FD483435B} = 85.255.112.158,85.255.112.86
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-11 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090819.021\NAVENG.SYS [2009-8-19 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090819.021\NAVEX15.SYS [2009-8-19 875728]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]

=============== Created Last 30 ================

2009-08-20 09:06 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-08-19 18:03 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-19 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-10 11:17 <DIR> --d----- c:\program files\tusqek

==================== Find3M ====================

2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-10-16 12:17 40,344 a------- c:\docume~1\bdf\applic~1\GDIPFONTCACHEV1.DAT
2008-03-11 17:20 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-03-05 11:28 56 ---shr-- c:\windows\system32\819B51CD69.sys
2007-02-02 12:19 952,368 ---sh--- c:\windows\system32\mlnmp.bak1
2007-02-02 16:36 950,634 ---sh--- c:\windows\system32\mlnmp.bak2
2007-02-02 17:54 396,816 ---sh--- c:\windows\system32\mlnmp.ini2
2008-07-31 16:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008073120080801\index.dat

============= FINISH: 9:31:25.66 ===============

Hello 4bard,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Hello SifuMike,

Many thanks for responding to my request for help.

I downloaded Security Check and ran it. Contents of checkup.txt are pasted below.

COULDN'T run Malewarebytes... Actually, I can't EVEN download it from a website directly to my (infected) laptop. So earlier I used my PC and downloaded the setup file, then installed it onto my laptop via a flashdrive. Although the program seems to have been installed, it won't open (a double-click yields a brief hourglass, then nothing... the same program works fine on my PC). Couldn't open it in SAFE MODE on the laptop when I tried earlier, either. Same result.

Thanks again for your help. I look forward to hearing back from you!

4bard

Contents of checkup.txt:

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton 360


Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
SpywareBlaster 4.2
EarthLink Spyware Blocker
Malwarebytes' Anti-Malware
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe


``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Hi 4bard,

Your very welcome.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Please download Java Version 6 Update 15

• Click the "Free Java Download" button.
  
• Click "Free Java Download" again
  
• Save the file jxpiinstall.exe to your desktop
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  Examples of older versions in Add or Remove Programs:
  Java SE Runtime Environment 6 Update 1
  Java 6 Update 2
  Java 6 Update 3
  Java 6 Update 5
  Java 6 Update 7
  Java 2 Runtime Environment, SE v1.4.2_03
  
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jxpiinstall.exe to install the newest version.

*********

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe3, double click newtool3.exe to proceed in running a Full scan.

Hi SifuMike,

Performed the Java download/Java removal/Java installation as directed. Everything seemed fine.

Renamed MBAM.exe as directed and it worked fine. I'm pasting the report below. I hate to sound like a total fool, but I'm not sure what you meant by a "Hijack This" scan; I know it's the name of the forum, but is there a specific tool/app it's named after as well?

Laptop may be a little faster, but I've still got the Vimax ads and I'm still getting redirected... Just so you know.

Again, thanks,

4bard

Here's the MBAM scan report:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/23/2009 7:25:21 PM
mbam-log-2009-08-23 (19-25-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172804
Time elapsed: 35 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{295ba105-3506-4d25-b0dd-54346320bdc5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3fd6b99c-a275-46ea-8fd1-3d63986e51e4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46a4e9d9-b30e-452a-8157-dbbec8573b03} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{68d5cf1d-ec5c-4bdd-a9ef-f0e517565d50} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{74dd705d-6834-439c-a735-a6dbe2677452} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7da39570-5fd2-4f18-94b4-20730cb3f727} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f18f04b0-9cf1-4b93-b004-77a288bee28b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74dd705d-6834-439c-a735-a6dbe2677452} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{74dd705d-6834-439c-a735-a6dbe2677452} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.158,85.255.112.86 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e141885f-20d7-47b6-a46c-303fd483435b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.158,85.255.112.86 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.158,85.255.112.86 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e141885f-20d7-47b6-a46c-303fd483435b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.158,85.255.112.86 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.158,85.255.112.86 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e141885f-20d7-47b6-a46c-303fd483435b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.158,85.255.112.86 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\BDF\Application Data\searchtoolbarcorp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\BDF\Application Data\searchtoolbarcorp\Toolbar Vision (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\VSAdd-in (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\OmegaPlayer\Uninstall.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\BDF\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\BDF\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> Delete on reboot.

Hi 4bard,




Sorry, that is my fault. I forgot that you did not have Hijackthis installed.

Please do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.

Hi SifuMike,

Had to download and run an executable copy of HijackThis - the 'install' copy wouldn't open (just like Malbytes AntiMalware...)

But I did run a scan - here's the logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:28 AM, on 8/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\BDF\Local Settings\Temporary Internet Files\Content.IE5\Y4EO1S06\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.206.201.8 winsecurepro.microsoft.com
O1 - Hosts: 91.206.201.8 winsecurepro.com
O1 - Hosts: 91.206.201.8 www.winsecurepro.com
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.celartem.com/en/download/data/d...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140411847125
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9403 bytes


Thanks,

4bard

Hi 4bard,



You need to put HijackThis into its own folder, but not a temp folder.
It won't save the backups if it is run from a temporary folder, and we will be deleting the temp folder.

Here is how to make a Hijackthis folder:

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder.
Put your hijackthis.exe there.



*****************

You have a nasty rootkit, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Norton 360 before running ComboFix, as it will prevent it from running.

To disable NORTON 360
Right-click the Norton 360 icon in the system tray and select Open Tasks and
Settings Window.
On the right side, under Settings, click on Change advanced settings.
Next, click on the Virus & Spyware Protection Settings.
Uncheck Turn on Auto-Protect and select Apply.
You will be asked to select a time for Norton to reactivate.
Choose Until I turn it back on.
You can re-enable after the malware has been removed from your machine.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Hi,

I moved HijackThis into its own C:\HJT\ folder, but, as before, it won't run when double-clicked on. Does it need to run prior to ComboFix (so you can view its log), or can I go ahead and run ComboFix? Eager as I am to continue, I'll wait for your direction... (Hey - those ComboFix warnings sound really serious for a digital 'dabbler' like me!)

Just let me know - Go ahead and solve the HijackThis situation for a HJT log?, or Go ahead ahead and run (cue ominous music...) COMBOFIX!!!?

I'll wait to hear from you before I do ANYTHING. And again, your assistance is truly appreciated.

4bard

Hi 4bard,

Leave the Hijackthis install for now. We will come back to it later.

Proceed with the ComboFix instructions I posted. The warnings as there for a reason!
Some foolish people decide to ignore all warnings, run ComboFix on their own and it trashes their system. Then they come crying to us and want us to clean up their mess.
When asked why they ran ComboFix on their own they usually reply "I thought I could fix it myself" or "I was tired of waiting".

ComboFix is not to be run unless under the supervision of a malware expert. It is not for casual use.

Hi SifuMike,

Got all psyched up, turned off my Norton 360 and went to run ComboFix... But no response from ComboFix when I double-clicked on it or right-clicked on it and selected 'open.'

Seems just like the problem with running Malwarebytes... Is the solution the same? Rename the exe file? Just guessing...

I'll wait to hear from you. Thanks.

4bard

Hi 4bard,

Delete the version of CombFix you have on your desktop.

Disable you Norton 360 before running Combofix.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2






--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Hi SifuMike,

I followed your instructions explicitly, deleting the old ComboFix, re-downloading, renaming and saving the new 'Combo-Fix,' and turning off Norton 360 before I went to run Combo-Fix...

A tiny ComboFix status bar appeared, filled up and disappeared. Next was a DOS-like window which said ComboFix was preparing to run. Finally there was a loud couple of beeps and a dialogue box came up asking me to say 'yes' to run ComboFix. I hit yes, then looked down at my newspaper... A few things flitted on the screen, I think, but ComboFix didn't seem to run at all. By the time I looked back up and was paying full attention, absolutely nothing was happening. (Just seconds later...)

Should I try repeating the whole process? Sorry if I'm being dense. (It's not on purpose!) I'll wait to hear from you.

Thanks,

4bard

Hi 4bard,


ComboFix takes as long as an hour to run. I think you jumped the gun.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Run it again (after disabling your Norton 360) and be more patient.

Once it starts running you will see it completing stages 1 thru 40 or more.

Hi SifuMike,

I summoned up all my patience and re-downloaded CombFix, renamed it, etc... turned off Norton 360 Antivirus and 'ran' Combo-Fix. Same as before: small status window, brief DOS window, then a very fast (unreadably fast) window, which appeared and disappeared. I was very, very patient, and glanced at the drive light from time to time - occasionally there were flashes, but they eventually stopped. No other screen appeared. After almost two hours, I checked and the laptop wasn't doing anything - clearly ComboFix had done SOMETHING, since the wireless strength and connection icons were gone. But NO report or other evidence the program had run (or continued to run).

I figured I did something wrong, so I rebooted the computer (twice, since it froze on the first go), and repeated the process, only this time I ALSO turned off (unchecked, actually) Norton 360's SymProtect Tamper Protection as well. Ran Combo-Fix again - saw all the same stuff, including the fast screen, then watched the drive light flutter occasionally. I left the laptop alone for 4 hours. When I returned, it was in the same state as after the last (unsuccessful?) scan... The tray icons were changed a bit, but no report and no drive light... There was ONE THING I noticed the last time I ran ComboFix: I got a Norton 360 Error message I've gotten frequenly: "Norton 360 has encountered an internal problem. Would you like to get more information" If I click 'yes,' it sends me to Norton's website, but with an error message saying the server is busy, try again (or something like that). Could this mean that Norton is still interfering with ComboFix and it would be better to run ComboFix in Safe Mode or uninstall Norton? Again, just guessing.

I'm sorry this is taking so long... But I very much appreciate your persistance and guidance. I'd be lost without your help!

thanks,

4bard

Hi 4bard,

Try uninstalling Norton 360, then run combofix. Dont run ComboFix in safe mode.
Since you dont have an antivirus to protect you, do not surf the web until we are done removing malware.

Hey SifuMike,

Good news at last! I uninstalled Norton 360 (took 2 tries - an 'uninstall' from my start menu got hung-up as it removed "Norton Real Time Storage Protection" (or something like that). I restarted my laptop and removed the rest of the program using the Windows Control Panel...).

Anyway, ComboFix ran through all of its 50 (or thereabouts) steps (after restarting Windows to download something called 'Windows Recovery Module"), then it restarted Windows and issued its ComboFix log. Out of an abundance of caution, I have turned my laptop off and am sending you this .txt file via my (hopefully uninfected) PC. The big question is: should I restart my laptop and re-install Norton 360? Or should I wait? As I've indicated, I have a PC with (hopefully) no major issues... But I'd love to speed it up next...

Here's my ComboFix log. As always, I'll wait for your reply before doing anything...

thanks,

4bard

Here's the ComboFix results:

ComboFix 09-08-26.05 - BDF 08/26/2009 13:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.254 [GMT -7:00]
Running from: c:\documents and settings\BDF\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\windows\Installer\2e378.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\ESQULkkjygvmrnttjcjdlfodguhdnoyypppbd.sys
c:\windows\system32\eforkscx.ini
c:\windows\system32\ESQULkkcidgoptylqbaiyouenxoyksxbdleor.dll
c:\windows\system32\ESQULwwwkvbdxmspyhoqtpltunawnmdeybaiu.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\fajnhbmq.ini
c:\windows\system32\liyasngp.ini
c:\windows\system32\mlnmp.bak1
c:\windows\system32\mlnmp.bak2
c:\windows\system32\mlnmp.ini
c:\windows\system32\mlnmp.ini2
c:\windows\system32\mlnmp.tmp
c:\windows\system32\vruitdob.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-26 19:49 . 2009-08-26 19:49 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-24 18:41 . 2009-08-24 18:45 -------- d-----w- C:\HJT
2009-08-24 16:11 . 2009-08-24 16:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 03:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-24 01:42 . 2009-08-24 01:42 -------- d-----w- c:\documents and settings\BDF\Application Data\Malwarebytes
2009-08-24 01:39 . 2009-08-24 01:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 01:38 . 2009-08-24 01:38 152576 ----a-w- c:\documents and settings\BDF\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-21 16:32 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 16:32 . 2009-08-24 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 16:32 . 2009-08-21 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 16:32 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 16:06 . 2009-08-20 16:06 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-20 01:03 . 2009-08-20 01:03 -------- d-----w- c:\program files\SpywareBlaster
2009-08-19 21:21 . 2009-08-22 00:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-19 21:20 . 2009-08-20 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-10 18:17 . 2009-08-10 18:37 -------- d-----w- c:\program files\tusqek
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 19:51 . 2006-02-11 12:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-26 19:50 . 2008-09-23 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 19:02 . 2006-02-23 02:43 40344 ----a-w- c:\documents and settings\BDF\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 02:25 . 2009-07-20 15:46 -------- d-----w- c:\program files\OmegaPlayer
2009-08-24 01:39 . 2006-02-11 12:02 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 13:39 . 2006-02-20 04:54 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ------w- c:\windows\system32\quartz.dll
2006-03-05 18:28 . 2006-02-23 02:43 56 --sh--r- c:\windows\system32\819B51CD69.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-11 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"IDriverT"=3 (0x3)
"EarthLinkMonitor"=2 (0x2)
"DSBrokerService"=3 (0x3)
"comHost"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Roxio Easy Media Creator 9 Suite\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Roxio\\Roxio Easy Media Creator 9 Suite\\Audio Master 9\\MusicDiscCreator9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 8:32 PM 101936]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 3:16 PM 17536]
S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 12:47 PM 65604]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 13:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-08-26 13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 20:24

Pre-Run: 43,235,295,232 bytes free
Post-Run: 44,661,514,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2009-08-26 20:23

Wait to install Norton 360, as we might need to run ComboFix again. Do browse the web or download anything until we are done using ComboFix.

I have to look at your log and decide what to do.

I'llllllllllllllllllll be back. (spoken with an Austrian accent.) LOL

Hi 4bard,

You had quite a mess on this computer!

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:



Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Hi SifuMike,

Things seem to be looking up!

I pasted the code you provided into Notepad, then dragged it into ComboFix. Sure enough, stuff happened, and a report was generated. Here it is:

ComboFix 09-08-26.05 - BDF 08/26/2009 13:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.254 [GMT -7:00]
Running from: c:\documents and settings\BDF\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\windows\Installer\2e378.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\ESQULkkjygvmrnttjcjdlfodguhdnoyypppbd.sys
c:\windows\system32\eforkscx.ini
c:\windows\system32\ESQULkkcidgoptylqbaiyouenxoyksxbdleor.dll
c:\windows\system32\ESQULwwwkvbdxmspyhoqtpltunawnmdeybaiu.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\fajnhbmq.ini
c:\windows\system32\liyasngp.ini
c:\windows\system32\mlnmp.bak1
c:\windows\system32\mlnmp.bak2
c:\windows\system32\mlnmp.ini
c:\windows\system32\mlnmp.ini2
c:\windows\system32\mlnmp.tmp
c:\windows\system32\vruitdob.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-26 19:49 . 2009-08-26 19:49 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-24 18:41 . 2009-08-24 18:45 -------- d-----w- C:\HJT
2009-08-24 16:11 . 2009-08-24 16:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 03:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-24 01:42 . 2009-08-24 01:42 -------- d-----w- c:\documents and settings\BDF\Application Data\Malwarebytes
2009-08-24 01:39 . 2009-08-24 01:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 01:38 . 2009-08-24 01:38 152576 ----a-w- c:\documents and settings\BDF\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-21 16:32 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 16:32 . 2009-08-24 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 16:32 . 2009-08-21 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 16:32 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 16:06 . 2009-08-20 16:06 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-20 01:03 . 2009-08-20 01:03 -------- d-----w- c:\program files\SpywareBlaster
2009-08-19 21:21 . 2009-08-22 00:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-19 21:20 . 2009-08-20 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-10 18:17 . 2009-08-10 18:37 -------- d-----w- c:\program files\tusqek
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 19:51 . 2006-02-11 12:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-26 19:50 . 2008-09-23 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 19:02 . 2006-02-23 02:43 40344 ----a-w- c:\documents and settings\BDF\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 02:25 . 2009-07-20 15:46 -------- d-----w- c:\program files\OmegaPlayer
2009-08-24 01:39 . 2006-02-11 12:02 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 13:39 . 2006-02-20 04:54 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ------w- c:\windows\system32\quartz.dll
2006-03-05 18:28 . 2006-02-23 02:43 56 --sh--r- c:\windows\system32\819B51CD69.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-11 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 149280]


As always, thanks.

4bard

Hi 4bard,

That is the same log you posted previouly. : The run date 08/26/2009 13:06.1 is the same as the previous one.

The latest is probably called C:\ComboFix2.txt. Check the run date at the end.
I need to see the latest log.

Hi SifuMike,

My apologies for posting the wrong log. I found ComboFix2.txt - it was in a directory called c:/qoobox

Here's the log:

ComboFix 09-08-26.05 - BDF 08/26/2009 13:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.254 [GMT -7:00]
Running from: c:\documents and settings\BDF\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\windows\Installer\2e378.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\ESQULkkjygvmrnttjcjdlfodguhdnoyypppbd.sys
c:\windows\system32\eforkscx.ini
c:\windows\system32\ESQULkkcidgoptylqbaiyouenxoyksxbdleor.dll
c:\windows\system32\ESQULwwwkvbdxmspyhoqtpltunawnmdeybaiu.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\fajnhbmq.ini
c:\windows\system32\liyasngp.ini
c:\windows\system32\mlnmp.bak1
c:\windows\system32\mlnmp.bak2
c:\windows\system32\mlnmp.ini
c:\windows\system32\mlnmp.ini2
c:\windows\system32\mlnmp.tmp
c:\windows\system32\vruitdob.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-26 19:49 . 2009-08-26 19:49 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-24 18:41 . 2009-08-24 18:45 -------- d-----w- C:\HJT
2009-08-24 16:11 . 2009-08-24 16:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 03:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-24 01:42 . 2009-08-24 01:42 -------- d-----w- c:\documents and settings\BDF\Application Data\Malwarebytes
2009-08-24 01:39 . 2009-08-24 01:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 01:38 . 2009-08-24 01:38 152576 ----a-w- c:\documents and settings\BDF\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-21 16:32 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 16:32 . 2009-08-24 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 16:32 . 2009-08-21 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 16:32 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 16:06 . 2009-08-20 16:06 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-20 01:03 . 2009-08-20 01:03 -------- d-----w- c:\program files\SpywareBlaster
2009-08-19 21:21 . 2009-08-22 00:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-19 21:20 . 2009-08-20 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-10 18:17 . 2009-08-10 18:37 -------- d-----w- c:\program files\tusqek
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 19:51 . 2006-02-11 12:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-26 19:50 . 2008-09-23 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 19:02 . 2006-02-23 02:43 40344 ----a-w- c:\documents and settings\BDF\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 02:25 . 2009-07-20 15:46 -------- d-----w- c:\program files\OmegaPlayer
2009-08-24 01:39 . 2006-02-11 12:02 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 13:39 . 2006-02-20 04:54 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ------w- c:\windows\system32\quartz.dll
2006-03-05 18:28 . 2006-02-23 02:43 56 --sh--r- c:\windows\system32\819B51CD69.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-11 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"IDriverT"=3 (0x3)
"EarthLinkMonitor"=2 (0x2)
"DSBrokerService"=3 (0x3)
"comHost"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Roxio Easy Media Creator 9 Suite\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Roxio\\Roxio Easy Media Creator 9 Suite\\Audio Master 9\\MusicDiscCreator9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 8:32 PM 101936]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 3:16 PM 17536]
S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 12:47 PM 65604]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 13:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-08-26 13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 20:24

Pre-Run: 43,235,295,232 bytes free
Post-Run: 44,661,514,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2009-08-26 20:23

Hi 4bard,

Is Norton 360 still uninstalled? If not, then uninstrall it before running ComboFix.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:



Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Hi SifuMike,

Thanks for the fast response.

I haven't re-installed Norton360 - so I'm actually not using my laptop... I'm copying these ComboFix logs and sending them via my (slightly less-infected) PC.

Here's the latest log, generated after I used your most recent code. As always, thanks!

Here's the latest:

ComboFix 09-08-26.05 - BDF 08/27/2009 13:19.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.218 [GMT -7:00]
Running from: c:\documents and settings\BDF\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\BDF\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))
.

2009-08-26 19:49 . 2009-08-26 19:49 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-24 18:41 . 2009-08-24 18:45 -------- d-----w- C:\HJT
2009-08-24 16:11 . 2009-08-24 16:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 03:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-24 01:42 . 2009-08-24 01:42 -------- d-----w- c:\documents and settings\BDF\Application Data\Malwarebytes
2009-08-24 01:39 . 2009-08-24 01:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 01:38 . 2009-08-24 01:38 152576 ----a-w- c:\documents and settings\BDF\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-21 16:32 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 16:32 . 2009-08-24 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 16:32 . 2009-08-21 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 16:32 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 16:06 . 2009-08-20 16:06 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-20 01:03 . 2009-08-20 01:03 -------- d-----w- c:\program files\SpywareBlaster
2009-08-19 21:21 . 2009-08-22 00:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-19 21:20 . 2009-08-20 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-10 18:17 . 2009-08-10 18:37 -------- d-----w- c:\program files\tusqek
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 19:51 . 2006-02-11 12:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-26 19:50 . 2008-09-23 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 19:02 . 2006-02-23 02:43 40344 ----a-w- c:\documents and settings\BDF\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 02:25 . 2009-07-20 15:46 -------- d-----w- c:\program files\OmegaPlayer
2009-08-24 01:39 . 2006-02-11 12:02 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 13:39 . 2006-02-20 04:54 -------- d-----w- c:\program files\EarthLink TotalAccess
2009-07-03 17:09 . 2005-08-16 10:18 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-08-16 10:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 10:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 10:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 10:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 10:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ------w- c:\windows\system32\quartz.dll
2006-03-05 18:28 . 2006-02-23 02:43 56 --sh--r- c:\windows\system32\819B51CD69.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-26_20.17.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-15 16:19 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-11 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"IDriverT"=3 (0x3)
"EarthLinkMonitor"=2 (0x2)
"DSBrokerService"=3 (0x3)
"comHost"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Roxio Easy Media Creator 9 Suite\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Roxio\\Roxio Easy Media Creator 9 Suite\\Audio Master 9\\MusicDiscCreator9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 8:32 PM 101936]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 3:16 PM 17536]
S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 12:47 PM 65604]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 13:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-27 13:29
ComboFix-quarantined-files.txt 2009-08-27 20:29
ComboFix2.txt 2009-08-26 20:24

Pre-Run: 45,103,640,576 bytes free
Post-Run: 45,068,275,712 bytes free

164 --- E O F --- 2009-08-26 20:23

Hi 4bard,

How is the computer running?

Now we look for stragglers.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post even if it finds nothing.

You can refer to this animation by sundavis if needed.

Hi SifuMike,

How is my computer running? Like a track star whose cleats are on fire! Every program seems faster... I'm worried about going online before I reinstall Norton 360, though. I haven't done any casual browsing, to be sure.

I ran the Kapersky scan, which took a loooooong time! But it yielded its results, and I'm pasting them below. It DID, however, indicate that access to the virus encyclopedia couldn't occur because of my browser's pop-up setting. Don't know if that means anything... (Hope it doesn't mean another scan! Ugh!)

As always, thanks. Do you do PCs, too? (My PC seems glacial compared to my laptop! I'd definitely be interested in repeating the process to clean my PC up as well...)

appreciatively,

4bard

Here's the Kapersky scan report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 28, 2009 15:45:17
Records in database: 2697264
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 70939
Threats found: 3
Infected objects found: 8
Suspicious objects found: 0
Scan duration: 02:05:10


File name / Threat / Threats count
C:\Documents and Settings\BDF\Application Data\Sun\Java\Deployment\cache\6.0\40\2fe55068-3ff40353 Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\BDF\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-16df35d5 Infected: Exploit.Java.ByteVerify 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULkkjygvmrnttjcjdlfodguhdnoyypppbd.sys.vir Infected: Rootkit.Win32.Pakes.wb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULkkcidgoptylqbaiyouenxoyksxbdleor.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULwwwkvbdxmspyhoqtpltunawnmdeybaiu.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0004690.dll Infected: Packed.Win32.Tdss.w 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0004691.sys Infected: Rootkit.Win32.Pakes.wb 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP41\A0004692.dll Infected: Packed.Win32.Tdss.w 1

Selected area has been scanned.

Hi 4bard,

Looks good. Kaspersky found previously deleted file stored in your System Restore folder and files quarantined by ComboFix. We will be getting rid of those shorlty.

OK, time to do the program clean up.

Delete Security Check from your desktop.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Now you can reinstall your Norton 360 antivirus.

Please read and follow
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.


Now your good to go.

Hi SifuMike,

I've followed all your instructions. And now I guess now our time together has come to an end. (Since you managed to solve my laptop's problems...)

Thanks for being a patient, encouraging and, (best of all), an effective computer fix-it expert/guide. I've enjoyed and appreciated your no-nonsense approach to solving my computer problems. And I'll be sure and refer all my friends to BleepingComputer.com - and to SifuMike (if they're lucky enough to 'draw' you in the fix-it lottery!!)

In the meantime, be well. I've made a donation (wish it could be 'times 10') to show my appreciation for all your efforts.

many thanks,

4bard

Thanks you for the donation. I hope you computer continues to run smoothly.

Since your problem appears to be resolved, this thread will now be closed.