Google Redirect - infected with a nasty rootkit

Elise025 said I should post this here in this thread. Please help!!!

Here is the link to the previous thread http://www.bleepingcomputer.com/forums/t/283266/help-google-search-redirected/

Here is my DDS Log


DDS (Ver_09-12-01.01) - NTFSx86
Run by XXXXXXX at 15:53:25.64 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.82 [GMT -6:00]

AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcserv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Deanne Allred\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://m.www.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [P2kAutostart]
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [EPSON Stylus CX8400 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S6E7.tmp" /EF "HKCU"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; IEMB3)" -"http://www.cartoonnetwork.com/games/teentitans/titanicambush/index.html"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.fastaccess.com/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177722638796
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1212625781_c2d1d7846579a333add6ab0c1af2089a&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9CDDD774-0E1E-49E3-91C6-F2D49949CF5D} - hxxps://www.dictaide.com/OE3202.CAB
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: hgGyywXn - hgGyywXn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXOIxyy
LSA: Notification Packages = scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deanne~1\applic~1\mozilla\firefox\profiles\ezev4x5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-12-9 1858144]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-4-13 53168]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2004-10-19 26960]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-7-26 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-7-26 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-7-28 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-11-29 23936]
S4 FreezeScreenSaver;FreezeScreenSaver;c:\windows\system32\FreezeScreenSaver.exe [2005-12-9 69632]

=============== Created Last 30 ================

2010-01-01 20:18:16 0 d-----w- c:\program files\Cobian Backup 8
2009-12-30 14:52:03 0 d-----w- c:\temp\MotoConnectTemp
2009-12-30 02:24:43 0 d-----w- c:\program files\a-squared HiJackFree
2009-12-30 00:55:19 0 d-----w- c:\windows\ERUNT
2009-12-30 00:55:15 1688 ----a-w- c:\windows\system32\AUTOEXEC.NT
2009-12-30 00:29:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-29 23:12:41 0 d-----w- c:\program files\TrendMicro
2009-12-10 01:55:16 0 d-----w- c:\program files\a-squared Free

==================== Find3M ====================

2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2004-09-10 16:10:08 4825 ----a-w- c:\program files\settings.dat
2004-09-10 16:04:09 96 ----a-w- c:\program files\library.dat
2004-09-10 12:47:06 8261 ----a-w- c:\program files\colors.dat
2004-09-06 23:31:36 12652784 ----a-w- c:\program files\mp10setup.exe
2004-09-01 23:07:47 5358704 ----a-w- c:\program files\PS2LE.exe
2002-08-29 10:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2009-01-15 02:47:40 372 --sha-w- c:\windows\system32\yyxIOXbc.ini2
2009-01-06 03:07:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010520090106\index.dat

============= FINISH: 15:57:30.01 ===============


Here is the GMER that I posted on the other thread.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-01 13:10:24
Windows 5.1.2600 Service Pack 3
Running: r26quime.exe; Driver: C:\DOCUME~1\DEANNE~1\LOCALS~1\Temp\awtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF851CFA4]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs F7C8A400
Device -> \Driver\iaStor \Device\Harddisk0\DR0 8334E618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Also I am now having to run in Safe Mode!
Also I couldnt get RootRepeal to run (per Preparation Guidelines). It was after I tried to run RootRepeal that I couldnt get on normal anymore and had to start getting on in Safe Mode.



HELP! :-(
Thank you Elise025 for what you helped me with. I hope someone else can fix all of this.
Dallred1

Hi dallred1,

Welcome to BC HijackThis forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

• Please update me on the current condition of your computer like the issues you have, if you are able to stay in normal mode and if you have internet connection.
  
  
• Please run DDS and post both the logs. The Attach.txt may be attached but copy and paste the DDS.txt.
  
  
• Open RootRepeal. Click Hidden Services. press Scan and when finished press Save Report. Post the log or tell me if there were no hidden services found.

Hey Farbar,

I agree to not make any more changes from here on out unless you tell me. Thank you so much for helping me. :-)

My problem started with Google redirecting me other sites when I click on the links. This first started in IE, but then also started happening in Firefox as well.

Then I was not able to access the computer in normal mode at all and had been accessing it in Safe Mode with Networking.

Then I started getting the Internet Security 2010 Antivirus warnings. I followed the directions here on this site and removed that virus.

When I try to get into Windows normally I get the BLUE SCREEN with an error that read "PAGE_FAULT_IN-NONPAGED_AREA". I read that I shoudl do a Chkdsk/f/r. I did that in "run" and it said it would run it the next time I rebooted. I rebooted and Windows ran it and started normally. However the next time I tried to log in it did the SAME thing. I got the "PAGE_FAULT_IN-NONPAGED_AREA". So I am currently logging in SAFE MODE WITH NETWORKING.

I have run the DDS.txt log and posted it below and have attached the Attach.txt

However I am UNABLE to run the RootRepeal. It is on my desktop but when I click it stays frozen on "initializing please wait". HELP! What can I do about that or is there another program we can run.

Here is the logs you requested.


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Deanne Allred at 18:17:21.06 on Wed 01/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.251 [GMT -6:00]

AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Deanne Allred\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://m.www.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [P2kAutostart]
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [EPSON Stylus CX8400 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S6E7.tmp" /EF "HKCU"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; IEMB3)" -"http://www.cartoonnetwork.com/games/teentitans/titanicambush/index.html"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.fastaccess.com/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177722638796
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1212625781_c2d1d7846579a333add6ab0c1af2089a&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9CDDD774-0E1E-49E3-91C6-F2D49949CF5D} - hxxps://www.dictaide.com/OE3202.CAB
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: hgGyywXn - hgGyywXn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXOIxyy
LSA: Notification Packages = scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deanne~1\applic~1\mozilla\firefox\profiles\ezev4x5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil.sys [2009-3-23 74480]
S2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2008-8-12 99248]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-11-29 91392]
S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-3 24652]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2004-10-19 26960]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-7-26 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-7-26 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-7-28 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-11-29 23936]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys [2009-4-13 53168]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 rootrepeal[1];rootrepeal[1];\??\c:\windows\system32\drivers\rootrepeal[1].sys --> c:\windows\system32\drivers\rootrepeal[1].sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\sasenum.sys [2009-3-23 7408]
S4 FreezeScreenSaver;FreezeScreenSaver;c:\windows\system32\FreezeScreenSaver.exe [2005-12-9 69632]

=============== Created Last 30 ================

2010-01-05 22:28:51 0 d-----w- c:\temp\MotoConnectTemp
2010-01-05 04:25:33 100 ----a-w- c:\windows\system32\flags.ini
2010-01-05 04:25:32 419 ----a-w- c:\windows\system32\uses32.dat
2010-01-05 01:48:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 01:48:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 01:48:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 14:16:07 0 ----a-w- c:\windows\system32\18467.exe
2010-01-02 02:53:15 1 ----a-w- C:\s
2010-01-01 20:18:16 0 d-----w- c:\program files\Cobian Backup 8
2009-12-30 00:55:19 0 d-----w- c:\windows\ERUNT
2009-12-30 00:55:15 1688 ----a-w- c:\windows\system32\AUTOEXEC.NT
2009-12-30 00:29:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-29 23:12:41 0 d-----w- c:\program files\TrendMicro
2009-12-10 01:55:16 0 d-----w- c:\program files\a-squared Free

==================== Find3M ====================

2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2004-09-10 16:10:08 4825 ----a-w- c:\program files\settings.dat
2004-09-10 16:04:09 96 ----a-w- c:\program files\library.dat
2004-09-10 12:47:06 8261 ----a-w- c:\program files\colors.dat
2004-09-06 23:31:36 12652784 ----a-w- c:\program files\mp10setup.exe
2004-09-01 23:07:47 5358704 ----a-w- c:\program files\PS2LE.exe
2002-08-29 10:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2009-01-15 02:47:40 372 --sha-w- c:\windows\system32\yyxIOXbc.ini2
2009-01-06 03:07:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010520090106\index.dat

============= FINISH: 18:19:44.64 ===============
 Attach.txt   17.79KB   14 downloads

Hi dallred1,

We would have preferred to run ComboFix in normal mode. But since you are not able to boot to normal mode you may run it in Safe Mode with Networking. Please note that firstly the antivirus should be disabled before running Combofix. Secondly, ComboFix needs to reboot to finish its job and produce a log. When it rebooted please let it reboot to normal mode. After ComboFix produced its log you may enable your antivirus real-time protection again.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

I am at work now and it will be this evening before I can run the combofix from my home computer, but I do have a question.

I CAN run in normal mode IF I do a Chkdsk/f/r in Safe Mode first. Should I do that (Chkdsk/f/r) again so it will start in normal mode so I can run the Combofix, or should I just run the Combofix in Safe Mode with Networking?

It does no harm running chkdsk but it takes a long time and I expect ComboFix will be able to boot the system to normal mode when it removed the rootkit.

ok, I will just run the Combofix in Safemode with Networking. :-)
Thanks for your help and I will post that log this evening.

Alright.

I had to run Combofix in SafeMode.
I was unable to get Windows Live OneCare to turn off (since I was in Safe Mode)
However Combofix ran fine.

Here is the log.

ComboFix 10-01-04.01 - Deanne Allred 01/07/2010 18:38:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.171 [GMT -6:00]
Running from: c:\documents and settings\Deanne Allred\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\s
C:\Thumbs.db
c:\windows\BackUp
c:\windows\BackUp\S\50707000.DAT
c:\windows\EventSystem.log
c:\windows\patch.exe
c:\windows\system32\18467.exe
c:\windows\system32\dwnjnofo.ini
c:\windows\system32\flags.ini
c:\windows\system32\hklktfrd.ini
c:\windows\system32\kbdsock.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\pubcvpok.ini
c:\windows\system32\stgojfbw.ini
c:\windows\system32\Thumbs.db
c:\windows\system32\uhitinmf.ini
c:\windows\system32\uses32.dat
c:\windows\system32\xldhinwf.ini
c:\windows\system32\yyxIOXbc.ini
c:\windows\system32\yyxIOXbc.ini2

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FREEZESCREENSAVER
-------\Service_FreezeScreenSaver


((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 00:53 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-08 00:53 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-05 22:28 . 2010-01-05 22:29 -------- d-----w- c:\temp\MotoConnectTemp
2010-01-05 01:48 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 01:48 . 2010-01-05 01:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 01:48 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 13:55 . 2010-01-03 13:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-02 02:53 . 2010-01-02 02:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-01 20:18 . 2010-01-01 20:20 -------- d-----w- c:\program files\Cobian Backup 8
2009-12-31 14:19 . 2009-12-31 14:19 -------- d-----w- c:\documents and settings\Kids\Application Data\Malwarebytes
2009-12-30 00:55 . 2009-12-30 00:55 -------- d-----w- c:\windows\ERUNT
2009-12-30 00:29 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-29 23:48 . 2009-12-29 23:48 -------- d-----w- c:\documents and settings\Deanne Allred\Local Settings\Application Data\Threat Expert
2009-12-29 23:12 . 2009-12-29 23:12 -------- d-----w- c:\program files\TrendMicro
2009-12-27 19:33 . 2009-12-27 19:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2009-12-10 01:55 . 2010-01-05 01:42 -------- d-----w- c:\program files\a-squared Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 00:24 . 2009-04-13 22:00 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-02 02:53 . 2009-04-14 11:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-31 19:54 . 2009-04-14 01:39 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-12-30 00:17 . 2007-04-28 13:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-18 01:00 . 2009-11-08 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Nanovor
2009-12-08 01:26 . 2008-09-15 21:09 -------- d-----w- c:\documents and settings\Deanne Allred\Application Data\U3
2009-12-01 02:06 . 2008-04-15 00:25 -------- d-----w- c:\documents and settings\Kids\Application Data\Apple Computer
2009-11-29 22:57 . 2008-07-29 00:06 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-10-29 07:45 . 2004-12-07 22:37 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-10-19 13:11 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-10-19 13:11 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-10-19 13:11 79872 ----a-w- c:\windows\system32\raschap.dll
2004-09-10 16:10 . 2004-09-10 12:47 4825 ----a-w- c:\program files\settings.dat
2004-09-10 16:04 . 2004-09-10 12:47 96 ----a-w- c:\program files\library.dat
2004-09-10 12:47 . 2004-09-10 12:47 8261 ----a-w- c:\program files\colors.dat
2004-09-06 23:31 . 2004-09-06 23:31 12652784 ----a-w- c:\program files\mp10setup.exe
2004-09-01 23:07 . 2004-09-07 00:01 5358704 ----a-w- c:\program files\PS2LE.exe
2002-08-29 10:00 . 2002-08-29 10:00 94784 --sh--w- c:\windows\TWAIN.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-11 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-26 2002160]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2006-10-24 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-13 180269]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2009-08-19 1060864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-17 02:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-09 22:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-05-02 23:46 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6600 Series]
2004-03-01 02:00 98304 ----a-w- c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATI9EA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-12-19 01:47 8720384 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-01-13 23:46 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FreezeScreenSaver"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdcwbgw.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdctime.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdcpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdcjswx.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\saskutil.sys [3/23/2009 1:07 PM 74480]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdcserv.exe [8/12/2008 4:27 PM 99248]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/29/2009 4:57 PM 91392]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 9:59 AM 24936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/3/2007 11:54 AM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\sasenum.sys [3/23/2009 1:07 PM 7408]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [10/19/2004 8:15 AM 26960]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [7/26/2009 12:41 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [7/26/2009 12:41 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [7/28/2008 6:07 PM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\SYSTEM32\DRIVERS\motport.sys [11/29/2009 4:58 PM 23936]
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2007-01-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-27 18:24]

2010-01-08 c:\windows\Tasks\User_Feed_Synchronization-{8CA89DA8-4E7B-46CB-88BC-5D00F801862B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uStart Page = hxxp://m.www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {9CDDD774-0E1E-49E3-91C6-F2D49949CF5D} - hxxps://www.dictaide.com/OE3202.CAB
FF - ProfilePath - c:\documents and settings\Deanne Allred\Application Data\Mozilla\Firefox\Profiles\ezev4x5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-P2kAutostart - (no file)
Notify-hgGyywXn - hgGyywXn.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 19:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-01-07 19:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 01:16

Pre-Run: 17,469,165,568 bytes free
Post-Run: 18,086,617,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 65C762388518D37B48AC5FAA599718F0

Well done.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
Driver::
rootrepeal
rootrepeal[1]
rootkit::
c:\windows\system32\drivers\rootrepeal[1].sys"
DDS::
uInternet Connection Wizard,ShellNext = iexplore

Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

ComboFix 10-01-04.01 - Deanne Allred 01/07/2010 20:29:50.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.140 [GMT -6:00]
Running from: c:\documents and settings\Deanne Allred\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deanne Allred\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ROOTREPEAL[1]
-------\Service_rootrepeal[1


((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 00:53 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-08 00:53 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-05 22:28 . 2010-01-05 22:29 -------- d-----w- c:\temp\MotoConnectTemp
2010-01-05 01:48 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 01:48 . 2010-01-05 01:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 01:48 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 13:55 . 2010-01-03 13:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-02 02:53 . 2010-01-02 02:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-01 20:18 . 2010-01-01 20:20 -------- d-----w- c:\program files\Cobian Backup 8
2009-12-31 14:19 . 2009-12-31 14:19 -------- d-----w- c:\documents and settings\Kids\Application Data\Malwarebytes
2009-12-30 00:55 . 2009-12-30 00:55 -------- d-----w- c:\windows\ERUNT
2009-12-30 00:29 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-29 23:48 . 2009-12-29 23:48 -------- d-----w- c:\documents and settings\Deanne Allred\Local Settings\Application Data\Threat Expert
2009-12-29 23:12 . 2009-12-29 23:12 -------- d-----w- c:\program files\TrendMicro
2009-12-27 19:33 . 2009-12-27 19:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2009-12-10 01:55 . 2010-01-05 01:42 -------- d-----w- c:\program files\a-squared Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 00:24 . 2009-04-13 22:00 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-02 02:53 . 2009-04-14 11:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-31 19:54 . 2009-04-14 01:39 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-12-30 00:17 . 2007-04-28 13:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-18 01:00 . 2009-11-08 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Nanovor
2009-12-08 01:26 . 2008-09-15 21:09 -------- d-----w- c:\documents and settings\Deanne Allred\Application Data\U3
2009-12-01 02:06 . 2008-04-15 00:25 -------- d-----w- c:\documents and settings\Kids\Application Data\Apple Computer
2009-11-29 22:57 . 2008-07-29 00:06 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-10-29 07:45 . 2004-12-07 22:37 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-10-19 13:11 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-10-19 13:11 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-10-19 13:11 79872 ----a-w- c:\windows\system32\raschap.dll
2004-09-10 16:10 . 2004-09-10 12:47 4825 ----a-w- c:\program files\settings.dat
2004-09-10 16:04 . 2004-09-10 12:47 96 ----a-w- c:\program files\library.dat
2004-09-10 12:47 . 2004-09-10 12:47 8261 ----a-w- c:\program files\colors.dat
2004-09-06 23:31 . 2004-09-06 23:31 12652784 ----a-w- c:\program files\mp10setup.exe
2004-09-01 23:07 . 2004-09-07 00:01 5358704 ----a-w- c:\program files\PS2LE.exe
2002-08-29 10:00 . 2002-08-29 10:00 94784 --sh--w- c:\windows\TWAIN.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-11 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-26 2002160]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2006-10-24 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-13 180269]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2009-08-19 1060864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-17 02:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-09 22:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-05-02 23:46 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6600 Series]
2004-03-01 02:00 98304 ----a-w- c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATI9EA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-12-19 01:47 8720384 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-01-13 23:46 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FreezeScreenSaver"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdcwbgw.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdctime.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdcpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdcjswx.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\saskutil.sys [3/23/2009 1:07 PM 74480]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdcserv.exe [8/12/2008 4:27 PM 99248]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/29/2009 4:57 PM 91392]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 9:59 AM 24936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/3/2007 11:54 AM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\sasenum.sys [3/23/2009 1:07 PM 7408]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [10/19/2004 8:15 AM 26960]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [7/26/2009 12:41 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [7/26/2009 12:41 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [7/28/2008 6:07 PM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\SYSTEM32\DRIVERS\motport.sys [11/29/2009 4:58 PM 23936]
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2007-01-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-27 18:24]

2010-01-08 c:\windows\Tasks\User_Feed_Synchronization-{8CA89DA8-4E7B-46CB-88BC-5D00F801862B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {9CDDD774-0E1E-49E3-91C6-F2D49949CF5D} - hxxps://www.dictaide.com/OE3202.CAB
FF - ProfilePath - c:\documents and settings\Deanne Allred\Application Data\Mozilla\Firefox\Profiles\ezev4x5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 20:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-01-07 20:57:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 02:57
ComboFix2.txt 2010-01-08 01:16

Pre-Run: 18,048,950,272 bytes free
Post-Run: 18,037,420,032 bytes free

- - End Of File - - 781D7937D0F0B5C2A96376059316C743

• You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.
  
  To remove the leftovers please download and run the Norton Removal Tool.
  
  Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.
  
  Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.
  
  
• Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:
  
  http://www.clickz.com/news/article.php/3561546
  
  I suggest you uninstall the following program via Add or Remove Programs if your are using it:
  
  Viewpoint Manager, Viewpoint Media Player.
  
  If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint
  
  
• Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
  Extra Note:
  If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
  
  
• Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
• Tell me also how is your computer running.

Farbar,
I am unsure WHICH version of Norton I had on my computer. On the Norton Removal tool I have to select which version I had. If I dont know which one what should I do?
Thanks,
Deanne

Please keep the communication on the forum instead of sending a PM. Thanks.

Read the whole instruction please and you will know it.

Edited by farbar, 08 January 2010 - 09:07 AM.
Changed the post due to cross posting

I did everything you asked above.

Here is my latest Malware Log. It looks good.

Malwarebytes' Anti-Malware 1.44
Database version: 3523
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/8/2010 8:20:32 PM
mbam-log-2010-01-08 (20-20-32).txt

Scan type: Quick Scan
Objects scanned: 139859
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)