ComboFix 11-01-23.07 - Nan Mayer 01/24/2011  16:44:43.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.689 [GMT -6:00]
Running from: E:\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL
c:\program files\FunWebProducts\Installr\2.bin\F3PLUGIN.DLL
c:\program files\FunWebProducts\Installr\2.bin\NPFUNWEB.DLL
c:\program files\FunWebProducts\Installr\Cache\0007F4CD.exe
c:\program files\FunWebProducts\Installr\Cache\files.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

.
(((((((((((((((((((((((((   Files Created from 2010-12-24 to 2011-01-24  )))))))))))))))))))))))))))))))
.

2011-01-23 19:21 . 2011-01-23 19:21	--------	d--h--w-	c:\windows\PIF
2011-01-23 02:42 . 2011-01-23 15:15	--------	d-----w-	c:\documents and settings\Nan Mayer\Local Settings\Application Data\NPE
2011-01-23 02:07 . 2011-01-23 02:10	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-19 16:20 . 2011-01-19 16:20	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-01-19 16:20 . 2011-01-19 16:20	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-01-19 16:17 . 2011-01-19 16:18	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-16 02:35 . 2011-01-16 02:35	--------	d-----w-	c:\documents and settings\Nan Mayer\Application Data\PC Speed Maximizer
2011-01-16 02:34 . 2011-01-16 02:34	--------	d-----w-	c:\program files\PC Speed Maximizer
2011-01-13 00:42 . 2011-01-13 00:42	--------	d-sh--w-	c:\documents and settings\LocalService\IETldCache
2011-01-12 23:35 . 2011-01-12 23:35	--------	d-sh--w-	c:\documents and settings\NetworkService\IETldCache

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-01 05:24 . 2010-12-09 20:36	368248	----a-w-	c:\windows\system32\drivers\symtdi.sys
2010-12-01 05:24 . 2010-12-09 20:36	368248	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2010-12-09 20:36	295032	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\symnets.sys
2010-12-01 05:23 . 2010-12-09 20:36	330360	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\symtdiv.sys
2010-11-23 04:08 . 2010-12-09 20:36	509560	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\srtsp.sys
2010-11-23 04:08 . 2010-12-09 20:36	50168	----a-w-	c:\windows\system32\drivers\srtspx.sys
2010-11-23 04:08 . 2010-12-09 20:36	50168	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\srtspx.sys
2010-11-18 18:12 . 2004-08-11 22:12	81920	----a-w-	c:\windows\system32\isign32.dll
2010-11-18 02:59 . 2010-12-09 20:36	652336	----a-w-	c:\windows\system32\drivers\symefa.sys
2010-11-18 02:59 . 2010-12-09 20:36	652336	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys
2010-11-16 01:45 . 2010-12-09 20:36	136312	----a-w-	c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys
2010-11-16 01:45 . 2010-12-09 20:36	136312	----a-w-	c:\windows\system32\drivers\ironx86.sys
2010-11-09 14:52 . 2004-08-11 22:00	249856	----a-w-	c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-11 22:00	916480	----a-w-	c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-11 22:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-11 22:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-11 22:00	385024	----a-w-	c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-11 22:00	40960	----a-w-	c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-11 22:00	290048	----a-w-	c:\windows\system32\atmfd.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2006-01-14 172032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-10 24576]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nan Mayer^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Nan Mayer\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DS Clock]
2005-02-15 03:23	331776	----a-w-	c:\program files\DS Clock\dsclock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24	54840	----a-w-	c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 19:53	1312080	----a-w-	c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24	20480	------w-	c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18	413696	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\LMI7AF.tmp\\lmi_rescue.exe"=
"c:\\Documents and Settings\\Nan Mayer\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5910:TCP"= 5910:TCP:vnc5910

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [12/9/2010 2:36 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [12/9/2010 2:36 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 10:27 AM 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [12/9/2010 2:36 PM 136312]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Nan Mayer\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [8/9/2010 8:58 AM 560848]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [12/9/2010 2:35 PM 130000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/29/2010 10:00 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110120.001\IDSXpx86.sys [1/22/2011 11:30 AM 341944]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [10/1/2003 10:54 AM 184832]
S3 uvnc_service;uvnc_service;c:\documents and settings\Nan Mayer\Local Settings\Application Data\CrossLoop\winvnc.exe [8/9/2010 8:58 AM 1587352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: dell.com\support
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com
Trusted Zone: pcdiscovery.com
Trusted Zone: symantec.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\mail
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Picasa 3 - c:\documents and settings\Nan Mayer\My Documents\Picasa3\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-24 16:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS721060G9SA00 rev.MC3OC11H -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F46555]<< 
c:\docume~1\NANMAY~1\LOCALS~1\Temp\catchme.sys  
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f4c7b0]; MOV EAX, [0x86f4c82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86FE7548]
3 CLASSPNP[0xF76BDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000088[0x86FD2F18]
5 ACPI[0xF7554620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F77D98]
\Driver\atapi[0x86F54270] -> IRP_MJ_CREATE -> 0x86F46555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS721060G9SA00_________________MC3OC11H#5&2015aabe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F4639B
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-24  16:58:12
ComboFix-quarantined-files.txt  2011-01-24 22:58

Pre-Run: 46,300,160,000 bytes free
Post-Run: 46,481,514,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3BE76C1C777AF538BB2A11B5FBE1455A