BleepingComputer.com: Firefox web browser fails to launch properly

I am using internet explorer to report this, as my defualt browser, Firefox, has gotten progressly worse and will not work at all now. When I first launch Firefox is receive an error message stating that it could not locate some files. When I click OK to dismiss that error dialog, Firefox goes to my homepage, Yahoo, but i can't navigate at all. Then Fireforx crashes. I have attached "Firefox Error Message" which is a screen capture of the message.

I followed the instructions in "Preparation Guide for Use....".



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dee at 21:30:22.78 on Sat 04/03/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2236 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dee.DEESXP\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dee~2.dee\applic~1\mozilla\firefox\profiles\n1hqr3d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\dee.deesxp\application data\mozilla\firefox\profiles\n1hqr3d9.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2009-10-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2009-10-27 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110309.001\BHDrvx86.sys [2010-3-11 800376]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-24 13696]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2009-10-27 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2009-10-27 116784]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2010-3-6 34916]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2009-10-27 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-29 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110330.001\IDSXpx86.sys [2010-3-31 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110402.003\NAVENG.SYS [2010-4-3 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110402.003\NAVEX15.SYS [2010-4-3 1393144]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-9-24 579456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-24 1684736]
.
=============== Created Last 30 ================
.
2010-09-08 02:28:25 -------- d-----w- C:\c471d00044075cd95fec3d4aa0
2010-09-05 20:30:55 -------- d-----w- c:\program files\RALINK
2010-09-05 01:15:07 -------- d-----w- c:\windows\setup.pss
2010-09-02 20:49:21 -------- d-----w- c:\program files\common files\Cisco Systems
2010-09-02 20:48:38 -------- d-----w- c:\program files\Sophos
2010-09-02 20:46:06 -------- d-----w- C:\stdtsa
2010-08-23 15:19:08 -------- d-sh--w- C:\FOUND.003
2010-08-13 07:03:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-08-13 07:03:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-08-10 21:49:12 -------- d-----w- c:\program files\Symantec
2010-08-10 21:49:12 -------- d-----w- c:\program files\common files\Symantec Shared
2010-06-26 08:37:24 -------- d-sh--w- C:\FOUND.002
2010-06-23 15:40:31 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-06-16 08:38:36 -------- d-sh--w- C:\FOUND.001
2010-04-18 21:53:18 -------- d-sh--w- C:\FOUND.000
2010-04-17 00:41:46 12276560 ----a-w- c:\program files\common files\microsoft shared\office11\MSO.DLL
2010-03-06 21:29:27 251664 ----a-w- c:\windows\system32\msrd2x35.dll
2010-03-06 21:29:26 368912 ----a-w- c:\windows\system32\vbar332.dll
2010-03-06 21:29:26 1039360 ----a-w- c:\windows\system32\msjet35.dll
2010-03-06 21:29:25 37136 ----a-w- c:\windows\system32\Msjint35.dll
2010-03-06 21:29:25 24336 ----a-w- c:\windows\system32\msjter35.dll
2010-03-06 21:28:41 41472 ----a-w- c:\windows\system32\IPROF32.DLL
2010-03-06 21:28:41 225280 ----a-w- c:\windows\system32\QCON32.DLL
2010-03-06 21:28:41 195968 ----a-w- c:\windows\system32\QCONNECT.DLL
2010-03-06 21:28:39 193024 ----a-w- c:\windows\system32\QCON3216.EXE
2010-03-06 21:28:36 5856 ----a-w- c:\windows\system32\INET16.DLL
2010-03-06 21:28:36 57344 ----a-w- c:\windows\ICG32.DLL
2010-03-06 21:28:36 48640 ----a-w- c:\windows\system32\INETWH32.DLL
2010-03-06 21:28:31 63488 ----a-w- c:\windows\system32\mrtRate.dll
2010-03-06 21:28:31 34916 ----a-w- c:\windows\system32\drivers\MrtRate.sys
2010-03-06 21:28:30 65024 ----a-w- c:\windows\system32\mrtMngr.exe
2010-03-06 21:27:46 51200 ----a-w- c:\windows\system32\Q_ENCUTL.DLL
2010-03-06 21:27:44 73728 ----a-w- c:\windows\system32\Q_ENCLIB.DLL
2010-03-06 21:27:44 -------- d-----w- c:\windows\Intuit
2010-03-06 20:28:09 305152 ----a-w- c:\windows\IsUninst.exe
2010-03-06 20:28:02 -------- d-----w- c:\documents and settings\dee.deesxp\WINDOWS
.
==================== Find3M ====================
.
.
============= FINISH: 21:31:14.57 ===============

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

• If you have since resolved the original problem you were having, we would appreciate you letting us know.
  
• If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  
• Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  
• Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.
  
• If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• If you have already posted a log, please do so again as instructed below, as your situation may have changed.
  
• Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL report,

• Please download OTL from this link.
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Under the Custom Scan box paste this in:
  
  netsvcs
  msconfig
  drivers32 /all
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.sys /90
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\*. /mp /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  CREATERESTOREPOINT
  
  
  
• Click the Quick Scan button.
  
• The scan should take a few minutes.
  
• Please copy and paste both logs in your reply.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



In your reply, please post both OTL logs and the GMER log. Thanks and again sorry for the delay.

etavares:

I ran OTL and GMER as instructed. I am attaching the three outputs.

Thanks,

BlondDee

Hello, BlondDee.

Ok, let's get started.



Step 1


You have almost no free space left. Windows requires free space to properly operate. I suggest you clean out files you don't need, and/ or temporarily store them on a USB drive. Try to free up to about 1GB of free space on Drive C:

Quote

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\Dee.DEEXP\Start Menu\Programs\Startup\Reboot.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares

This post has been edited by etavares: 12 April 2011 - 09:09 PM

still with me?

Via PM:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6410

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/20/2011 10:08:33 PM
mbam-log-2011-04-20 (22-08-33).txt

Scan type: Quick scan
Objects scanned: 240990
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


[ArcaVir]
2011-04-21 Found nothing
[F-Secure Anti-Virus]
2011-04-20 Found nothing
[Avast! antivirus]
2011-04-20 Found nothing
[G DATA]
2011-04-21 Found nothing
[Grisoft AVG Anti-Virus]
2011-04-20 Found nothing
[Ikarus]
2011-04-21 Found nothing
[Avira AntiVir]
2011-04-21 Found nothing
[Kaspersky Anti-Virus]
2011-04-21 Found nothing
[Softwin BitDefender]
2011-04-21 Found nothing
[ESET NOD32]
2011-04-20 Win32/RiskWare.ExitWin.B
[ClamAV]
2011-04-21 Trojan.Reboot
[Panda Antivirus]
2011-04-20 HackTool/ExitWin.A
[CPsecure]
2011-04-21 Troj.W32.Rebooter.B
[Quick Heal]
2011-04-20 Trojan.Agent.ATV
[Dr.Web]
2011-04-21 Tool.Lostrun
[Sophos]
2011-04-21 Mal/Generic-L
[Emsisoft Anti-Malware]
2011-04-21 Found nothing
[VirusBlokAda VBA32]
2011-04-20 Riskware.Tool.ExitWin
[Frisk F-Prot Antivirus]
2011-04-20 Found nothing
[VirusBuster]
2011-04-20 RiskWare.ExitWin!6dl/mQE97nI

Hello, BlondDee.

Please post your reply here instead of private messaging me.

Do you know this file?
C:\Documents and Settings\Dee.DEEXP\Start Menu\Programs\Startup\Reboot.exe

It's a short file that exits windows...if you know what it is, it's likely OK. That being said, it is a bit odd that it is in your startup folder. That means it runs at startup.

Also, were you able to free up at least 1GB of free space on Drive C:? We will need some free space to run any other programs successfully.

etavares

still with me?

I do not know anything about reboot.exe being in the startup directory. Should I leave it as it is?

I now have 3.65 GB on my C drive. Will that be enough?

Thanks,

BlondDee

Hello, BlondDee.

That should be enough space, and we'll also remove that file.



Step 1



Next, please download ComboFix from one of these locations:

• Bleepingcomputer
  
• InfoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on etavaresCF.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares

still with me?

Please accept my apologies for the slow reply. I do appreciate your help. I had been waiting for email notification that I had a message waiting. I now understand that i must check the forum for updates from you. Once again, thanks for your help. I am sending your the ComboFix.txt

ComboFix 11-04-28.01 - Dee 04/28/2011 20:40:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2005 [GMT -7:00]
Running from: c:\documents and settings\Dee.DEESXP\Desktop\etavaresCF.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dee.DEESXP\WINDOWS
c:\documents and settings\Dee.DEEXP\WINDOWS
c:\documents and settings\Dee\WINDOWS
c:\windows\command
c:\windows\desktop
c:\windows\system\Color
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-21 04:56 . 2011-04-21 04:56 -------- d-----w- c:\documents and settings\Dee.DEESXP\Application Data\Malwarebytes
2011-04-21 04:56 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 04:56 . 2011-04-21 04:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-04-21 04:56 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 04:56 . 2011-04-21 04:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-10 17:32 . 2011-04-10 17:32 -------- d-sh--w- c:\documents and settings\Dee.DEESXP\IECompatCache
2011-04-10 17:31 . 2011-04-10 17:31 -------- d-sh--w- c:\documents and settings\Dee.DEESXP\PrivacIE
2011-04-10 17:19 . 2011-04-10 17:19 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY.000\IETldCache
2011-04-10 10:20 . 2011-04-10 10:20 -------- d-sh--w- c:\documents and settings\Dee.DEESXP\IETldCache
2011-04-10 01:08 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-04-10 01:05 . 2011-02-22 23:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-04-10 01:05 . 2011-02-22 23:06 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-10 01:05 . 2011-02-22 23:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-10 01:05 . 2011-02-22 23:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-10 01:05 . 2011-02-22 23:06 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-10 01:05 . 2011-02-22 23:06 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-04-10 01:05 . 2011-02-22 23:06 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-04-09 22:25 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-04-09 22:24 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-04-09 22:24 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-04-09 22:24 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-04-09 22:20 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-09 22:20 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-04-09 22:19 . 2011-02-17 13:18 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-09 22:17 . 2009-01-08 01:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-09-24 05:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-15 12:56 . 2008-04-14 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-09-24 05:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-18 17:53 . 2011-04-09 18:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
.
c:\documents and settings\Dee.DEEXP\Start Menu\Programs\Startup\
Reboot.exe [2002-8-19 432128]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2010-3-6 36864]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2010-3-6 36864]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2010-9-5 1527808]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symds.sys [10/27/2009 2:27 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symefa.sys [10/27/2009 2:27 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110419.001\BHDrvx86.sys [4/19/2011 3:08 PM 802936]
R1 BIOS;BIOS;c:\windows\SYSTEM32\DRIVERS\BIOS.sys [9/24/2009 7:46 PM 13696]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\cchpx86.sys [10/27/2009 2:27 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\ironx86.sys [10/27/2009 2:27 PM 116784]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [3/6/2010 2:28 PM 34916]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [10/27/2009 2:27 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/29/2009 5:24 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110428.002\IDSXpx86.sys [4/28/2011 5:39 PM 341944]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\SYSTEM32\DRIVERS\rt2860.sys [9/24/2009 8:48 PM 579456]
S3 Ambfilt;Ambfilt;c:\windows\SYSTEM32\DRIVERS\Ambfilt.sys [9/24/2009 8:13 PM 1684736]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - OSE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dee.DEESXP\Application Data\Mozilla\Firefox\Profiles\1hb6o7it.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 20:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-28 20:48:02
ComboFix-quarantined-files.txt 2011-04-29 03:47
.
Pre-Run: 3,831,901,184 bytes free
Post-Run: 3,830,347,264 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4678E6A22CBEC78F380C8B71C583DAA4

Hello, BlondDee.

No worries. The email system is sometimes unreliable so I'm glad you checked. I'll almost always respond within 24 hours...although I will warn you I will be unable to check this thread until Sunday afternoon.





Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

File::
c:\documents and settings\Dee.DEEXP\Start Menu\Programs\Startup\Reboot.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares

etavares,

I ran ComboFix.exe as you instructed. This is the file it produced.

Thanks,

BlondDee

ComboFix 11-04-29.02 - Dee 04/29/2011 20:40:21.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2299 [GMT -7:00]
Running from: c:\documents and settings\Dee.DEESXP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dee.DEESXP\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\documents and settings\Dee.DEEXP\Start Menu\Programs\Startup\Reboot.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dee.DEEXP\Start Menu\Programs\Startup\Reboot.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-21 04:56 . 2011-04-21 04:56 -------- d-----w- c:\documents and settings\Dee.DEESXP\Application Data\Malwarebytes
2011-04-21 04:56 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 04:56 . 2011-04-21 04:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-04-21 04:56 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 04:56 . 2011-04-21 04:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-10 17:32 . 2011-04-10 17:32 -------- d-sh--w- c:\documents and settings\Dee.DEESXP\IECompatCache
2011-04-10 17:31 . 2011-04-10 17:31 -------- d-sh--w- c:\documents and settings\Dee.DEESXP\PrivacIE
2011-04-10 17:19 . 2011-04-10 17:19 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY.000\IETldCache
2011-04-10 10:20 . 2011-04-10 10:20 -------- d-sh--w- c:\documents and settings\Dee.DEESXP\IETldCache
2011-04-10 01:08 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-04-10 01:05 . 2011-02-22 23:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-04-10 01:05 . 2011-02-22 23:06 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-10 01:05 . 2011-02-22 23:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-10 01:05 . 2011-02-22 23:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-10 01:05 . 2011-02-22 23:06 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-10 01:05 . 2011-02-22 23:06 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-04-10 01:05 . 2011-02-22 23:06 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-04-09 22:25 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-04-09 22:24 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-04-09 22:24 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-04-09 22:24 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-04-09 22:20 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-09 22:20 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-04-09 22:19 . 2011-02-17 13:18 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-09 22:17 . 2009-01-08 01:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-09-24 05:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-15 12:56 . 2008-04-14 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-09-24 05:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-04-30 02:11 . 2011-04-09 18:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2010-3-6 36864]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2010-3-6 36864]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2010-9-5 1527808]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symds.sys [10/27/2009 2:27 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symefa.sys [10/27/2009 2:27 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110419.001\BHDrvx86.sys [4/19/2011 3:08 PM 802936]
R1 BIOS;BIOS;c:\windows\SYSTEM32\DRIVERS\BIOS.sys [9/24/2009 7:46 PM 13696]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\cchpx86.sys [10/27/2009 2:27 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\ironx86.sys [10/27/2009 2:27 PM 116784]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [3/6/2010 2:28 PM 34916]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [10/27/2009 2:27 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/29/2009 5:24 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110428.002\IDSXpx86.sys [4/28/2011 5:39 PM 341944]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\SYSTEM32\DRIVERS\rt2860.sys [9/24/2009 8:48 PM 579456]
S3 Ambfilt;Ambfilt;c:\windows\SYSTEM32\DRIVERS\Ambfilt.sys [9/24/2009 8:13 PM 1684736]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - OSE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dee.DEESXP\Application Data\Mozilla\Firefox\Profiles\1hb6o7it.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 20:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-04-29 20:45:47
ComboFix-quarantined-files.txt 2011-04-30 03:45
ComboFix2.txt 2011-04-29 03:48
.
Pre-Run: 4,102,307,840 bytes free
Post-Run: 4,099,338,240 bytes free
.
- - End Of File - - 4AF6A4208ED036B6156ADDD9795C6266

Hello, BlondDee.

Are you still having the issues you mentioned earlier or have they disappeared?



Step 1

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

Please download TFC by OldTimer and save it to your desktop.
alternate download link

• Save any unsaved work. TFC will close ALL open programs including your browser!
  
• Double-click on TFC.exe to run it. If you are using Vista or Windows 7, right-click on the file and choose Run As Administrator.
  
• Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  
• Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Step 2

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

etavares