Hi Elise,
Booting in safe mode is still crashes, despite attempting the SUPERantispyware fix.
Ran combofix and here are the results..ComboFix 09-12-18.03 - Kenny Donovan 12/19/2009 18:48:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1389 [GMT -5:00]
Running from: c:\documents and settings\Kenny Donovan\Desktop\KittyFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00003795.
c:\recycler\NPROTECT\00003797.
c:\recycler\NPROTECT\00003848.
c:\recycler\NPROTECT\00003858.
c:\recycler\NPROTECT\00003859.
c:\recycler\NPROTECT\00010480.
c:\recycler\NPROTECT\00010481.
c:\recycler\NPROTECT\00010483.
c:\recycler\NPROTECT\00010723.
c:\recycler\NPROTECT\00010724.
c:\recycler\NPROTECT\00010726.
c:\recycler\NPROTECT\00010995.
c:\recycler\NPROTECT\00010996.
c:\recycler\NPROTECT\00010998.
c:\recycler\NPROTECT\00011541.
c:\recycler\NPROTECT\00011677.
c:\windows\kb913800.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.
2009-12-02 00:54 . 2009-12-02 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-02 00:53 . 2009-12-02 00:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-02 00:53 . 2009-12-02 00:53 -------- d-----w- c:\documents and settings\Kenny Donovan\Application Data\SUPERAntiSpyware.com
2009-12-02 00:53 . 2009-12-02 00:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 20:35 . 2009-12-01 20:35 -------- d-----w- c:\program files\Symantec
2009-12-01 20:35 . 2009-12-01 20:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-01 20:35 . 2009-12-01 20:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-01 20:34 . 2009-12-01 20:34 -------- d-----w- c:\windows\system32\drivers\NAV
2009-12-01 20:34 . 2009-12-01 20:34 -------- d-----w- c:\program files\Windows Sidebar
2009-12-01 20:34 . 2009-12-01 20:34 -------- d-----w- c:\program files\Norton AntiVirus
2009-12-01 20:02 . 2009-12-01 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-12-01 20:02 . 2009-12-01 20:02 -------- d-----w- c:\program files\NortonInstaller
2009-12-01 20:02 . 2009-12-01 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-01 19:56 . 2009-12-01 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-30 23:15 . 2009-11-30 23:15 -------- d-----w- c:\program files\3ivx
2009-11-30 23:11 . 2009-11-30 23:11 -------- d-----w- c:\program files\Flip Video
2009-11-30 23:11 . 2009-11-30 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2009-11-29 22:29 . 2009-11-29 19:59 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-29 20:01 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-29 19:59 . 2009-11-29 19:59 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-29 19:49 . 2009-09-24 13:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 19:49 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 19:49 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 19:49 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 19:49 . 2009-11-30 21:26 -------- d-----w- c:\program files\Spyware Doctor
2009-11-29 19:49 . 2009-11-29 19:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 19:49 . 2009-11-29 19:49 -------- d-----w- c:\documents and settings\Kenny Donovan\Application Data\PC Tools
2009-11-29 19:49 . 2009-11-29 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-29 19:49 . 2009-11-30 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-29 19:48 . 2009-11-29 19:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-11-29 19:44 . 2009-11-29 19:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-29 19:43 . 2009-11-29 19:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-29 19:43 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-29 19:43 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-29 19:42 . 2009-11-29 19:42 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-11-29 19:40 . 2009-11-29 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-20 21:18 . 2009-11-20 21:18 -------- d-----w- C:\VJVod_Cache
2009-11-20 21:18 . 2009-11-20 21:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-11-20 21:15 . 2009-11-29 19:25 -------- d-----w- c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 00:06 . 2009-10-12 16:24 -------- d-----w- c:\documents and settings\Kenny Donovan\Application Data\uTorrent
2009-12-17 13:07 . 2009-12-19 23:11 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\CCERASER.DLL
2009-12-05 13:57 . 2006-05-20 20:01 -------- d-----w- c:\program files\Google
2009-12-05 04:54 . 2009-12-05 04:54 529456 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys
2009-12-05 04:54 . 2009-12-05 04:54 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20091205.001\BHRules.dll
2009-12-05 04:54 . 2009-12-05 04:54 1405840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20091205.001\BHEngine.dll
2009-12-05 04:54 . 2009-12-05 04:54 668720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx64.sys
2009-12-05 04:54 . 2009-12-05 04:54 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20091205.001\bbRGen.dll
2009-12-02 21:03 . 2009-07-09 22:36 -------- d-----w- c:\documents and settings\Kenny Donovan\Application Data\DVD Flick
2009-12-02 00:54 . 2009-12-02 00:54 117760 ----a-w- c:\documents and settings\Kenny Donovan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 23:31 . 2008-09-14 12:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 21:03 . 2007-05-26 18:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 20:35 . 2009-12-01 20:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-01 20:35 . 2009-12-01 20:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 06:00 . 2009-12-19 23:11 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\NAVENG.SYS
2009-12-01 06:00 . 2009-12-19 23:11 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\NAVENG32.DLL
2009-12-01 06:00 . 2009-12-19 23:11 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\NAVEX32A.DLL
2009-12-01 06:00 . 2009-12-19 23:11 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\NAVEX15.SYS
2009-12-01 06:00 . 2009-12-19 23:11 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\EECTRL.SYS
2009-12-01 06:00 . 2009-12-19 23:11 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\ECMSVR32.DLL
2009-12-01 06:00 . 2009-12-19 23:11 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20091219.003\ERASER.SYS
2009-11-29 19:57 . 2009-11-29 19:57 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-11-29 19:57 . 2009-11-29 19:57 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-11-29 19:57 . 2009-11-29 19:57 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-11-29 19:57 . 2009-11-29 19:57 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-11-29 19:57 . 2009-11-29 19:57 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-29 19:56 . 2009-11-29 19:56 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-11-29 19:56 . 2009-11-29 19:56 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-11-29 19:56 . 2009-11-29 19:56 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-11-29 19:56 . 2009-11-29 19:56 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-11-29 19:56 . 2009-11-29 19:55 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-11-29 19:48 . 2006-04-29 21:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 19:44 . 2006-04-30 13:15 -------- d-----w- c:\program files\Lavasoft
2009-11-27 12:36 . 2006-04-30 12:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-08 22:57 . 2006-04-22 22:35 -------- d-----w- c:\program files\Java
2009-11-08 22:56 . 2009-11-08 22:56 152576 ----a-w- c:\documents and settings\Kenny Donovan\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-07 01:18 . 2009-12-01 20:35 892272 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\CLT\cltLMSx.dll
2009-10-29 05:38 . 2005-08-16 09:18 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-12-18 21:44 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSvix86.sys
2009-10-28 22:37 . 2009-12-18 21:44 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-12-18 21:44 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20091217.002\Scxpx86.dll
2009-10-28 22:37 . 2009-12-18 21:44 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSxpx86.dll
2009-10-28 22:37 . 2009-12-18 21:44 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSviA64.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-21 05:38 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 09:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 09:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-07-02 02:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 17:34 . 2009-12-01 20:35 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\OCS\hsplayer.dll
2009-10-03 08:15 . 2009-11-29 19:44 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-01 09:19 . 2009-12-01 20:36 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2009-09-25 05:37 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2006-04-28 20:01 . 2006-04-28 18:46 56 --sh--r- c:\windows\system32\0D300EE741.sys
2006-04-28 20:02 . 2006-04-28 20:01 88 --sh--r- c:\windows\system32\41E70E300D.sys
2006-04-28 20:02 . 2006-04-28 18:46 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-26 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Google Update"="c:\documents and settings\Kenny Donovan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-14 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-12 289072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-29 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
c:\documents and settings\Kenny Donovan\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-5-20 233472]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-29 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-22 24576]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Kenny Donovan^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Kenny Donovan\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]
[X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-12-06 15:45 839680 ----a-w- c:\progra~1\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-11-17 02:35 397312 ----a-w- c:\windows\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 17:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/29/2009 3:01 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/29/2009 2:49 PM 207280]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1101000.013\SymDS.sys [12/1/2009 3:35 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1101000.013\SymEFA.sys [12/1/2009 3:35 PM 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [12/4/2009 11:54 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1101000.013\cchpx86.sys [12/1/2009 3:35 PM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R1 SolDisk;SolDisk;c:\windows\system32\drivers\soldisk.sys [9/14/2009 1:13 PM 38344]
R1 SolFS;SolFS;c:\windows\system32\drivers\solfs.sys [9/14/2009 1:13 PM 285256]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1101000.013\Ironx86.sys [12/1/2009 3:35 PM 114736]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe [12/1/2009 3:35 PM 126392]
R3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [12/30/2007 1:30 PM 515200]
R3 DrmCVideo32;DrmCVideo32;c:\windows\system32\drivers\DrmCVideo32.sys [12/30/2007 1:30 PM 3768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/1/2009 3:36 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSXpx86.sys [12/18/2009 4:44 PM 329592]
S2 EraserSvc10923;Symantec Eraser Service;c:\program files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe [12/1/2009 3:35 PM 126392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2009 2:43 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/29/2009 2:40 PM 30192]
S3 keychain;M Three KeyChain Driver 03/09/2005, 1.0.0.2;c:\windows\system32\drivers\keychain.sys [10/4/2005 4:16 AM 7936]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/29/2009 2:49 PM 358600]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [12/30/2007 1:30 PM 184320]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ERASERSVC10923
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
Notify-NavLogon - (no file)
MSConfigStartUp-DriveLess - c:\docume~1\KENNYD~1\APPLIC~1\CLOCKB~1\atom bait.exe
AddRemove-Sierra Utilities - c:\program files\Sierra On-Line\sutil32.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Base Meal Boob - c:\docume~1\KENNYD~1\APPLIC~1\CLOCKB~1\atom bait.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-19 19:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-346406899-3673083407-219182813-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5142EEC-C399-7CB4-E3B4-B54A2EDC0EBE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaiedlgnel"=hex:66,61,67,65,63,6a,6a,70,63,6e,66,64,00,31
"danfgkij"=hex:64,62,6d,64,68,6e,6b,6d,65,6b,66,62,6e,6b,64,64,66,69,6c,68,68,
6e,68,70,63,6b,62,70,6b,62,63,6c,65,6f,61,64,67,6c,69,6c,00,00
"iaaefhncedcifpebgl"=hex:6a,61,6c,69,68,69,68,64,69,61,61,6c,70,68,62,6c,62,65,
68,6f,00,00
"haodlnljmnhbjoom"=hex:6a,61,6c,69,68,69,68,64,69,61,61,6c,70,68,62,6c,62,65,
68,6f,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(1652)
c:\docume~1\KENNYD~1\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-12-19 19:13:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 00:12
Pre-Run: 10,793,394,176 bytes free
Post-Run: 12,794,183,680 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - D92B77C0B08946617BA70A3B26CFDBAE
I also managed to get the GMER results (before running the combofix), they are as followsGMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2009-12-18 18:38:43
Windows 5.1.2600 Service Pack 3
Running: 3br6mbty.exe; Driver: C:\DOCUME~1\KENNYD~1\LOCALS~1\Temp\fxtdqpob.sys
---- System - GMER 1.0.15 ----
SSDT 896D97B8 ZwAlertResumeThread
SSDT 8A267558 ZwAlertThread
SSDT 8960DB10 ZwAllocateVirtualMemory
SSDT 8A442050 ZwAssignProcessToJobObject
SSDT 8953D730 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9E74E22]
SSDT 89738AC0 ZwCreateMutant
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9E55CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9E55ECE]
SSDT 8973D6B8 ZwCreateSymbolicLinkObject
SSDT 8A261810 ZwCreateThread
SSDT 8A258050 ZwDebugActiveProcess
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9E75610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9E758C4]
SSDT 8960DD68 ZwDuplicateObject
SSDT 89539008 ZwFreeVirtualMemory
SSDT 8A3B4DB0 ZwImpersonateAnonymousToken
SSDT 8A133480 ZwImpersonateThread
SSDT 8A21F4A0 ZwLoadDriver
SSDT 8A2AFBE0 ZwMapViewOfSection
SSDT 8A146B70 ZwOpenEvent
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9E73B14]
SSDT 895350C0 ZwOpenProcess
SSDT 8A1000C0 ZwOpenProcessToken
SSDT 8A246050 ZwOpenSection
SSDT 8960DEB8 ZwOpenThread
SSDT 8A252630 ZwProtectVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9E75D30]
SSDT 896E4070 ZwResumeThread
SSDT 8A226948 ZwSetContextThread
SSDT 8A2AF908 ZwSetInformationProcess
SSDT 8A44F050 ZwSetSystemInformation
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9E750E2]
SSDT 8A0CA920 ZwSuspendProcess
SSDT 8A0BF0C0 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9E55982]
SSDT 897060C0 ZwTerminateThread
SSDT 8A543550 ZwUnmapViewOfSection
SSDT 8960D680 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F017AC]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[1088] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0275000A
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device solfs.sys (Solid File System Driver/EldoS Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Driver\00002156 -> \Driver\atapi \Device\Harddisk0\DR0 8A87250C
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths@Directory C:\Documents and Settings\Kenny Donovan\Local Settings\Temporary Internet Files\Content.IE5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1@CacheLimit 32768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1@CachePath C:\Documents and Settings\Kenny Donovan\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2@CacheLimit 32768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2@CachePath C:\Documents and Settings\Kenny Donovan\Local Settings\Temporary Internet Files\Content.IE5\Cache2
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3@CacheLimit 32768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3@CachePath C:\Documents and Settings\Kenny Donovan\Local Settings\Temporary Internet Files\Content.IE5\Cache3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4@CacheLimit 32768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4@CachePath C:\Documents and Settings\Kenny Donovan\Local Settings\Temporary Internet Files\Content.IE5\Cache4
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5142EEC-C399-7CB4-E3B4-B54A2EDC0EBE}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5142EEC-C399-7CB4-E3B4-B54A2EDC0EBE}@eaiedlgnel 0x66 0x61 0x67 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5142EEC-C399-7CB4-E3B4-B54A2EDC0EBE}@danfgkij 0x64 0x62 0x6D 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5142EEC-C399-7CB4-E3B4-B54A2EDC0EBE}@iaaefhncedcifpebgl 0x6A 0x61 0x6C 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5142EEC-C399-7CB4-E3B4-B54A2EDC0EBE}@haodlnljmnhbjoom 0x6A 0x61 0x6C 0x69 ...
---- EOF - GMER 1.0.15 ----
hope this helps