[10Kay]

All processes killed
========== OTL ==========
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File C:\WINDOWS\System32\hidserv.dll File not found not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File C:\WINDOWS\System32\appmgmts.dll File not found not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: CompAdmin_DW
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 10627679 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: Dew
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.10.0 log created on 08282010_163633

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_5e4.dat moved successfully.

Registry entries deleted on Reboot...

[Advertisements]

Hi 10Kay,

Looks like I cross posted with you. Sorry about that.

Please now move on to the OTL script at post #15.

[emeraldnzl]

Hi 10Kay,

Looks like I cross posted with you. Sorry about that.

Please now move on to the OTL script at post #15.

[10Kay]

========== FILES ==========
Folder move failed. C:\Program Files\movie maker scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0\bin scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage scheduled to be moved on reboot.
File\Folder :Commands not found.
File\Folder [Reboot] not found.

OTL by OldTimer - Version 3.2.10.0 log created on 08282010_165111

Files\Folders moved on Reboot...
Folder move failed. C:\Program Files\movie maker scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0\bin scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0\bin scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0\bin scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage\version3.0 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\microsoft frontpage scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[emeraldnzl]

Hello 10Kay,

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[10Kay]

Hello emeraldnzl,
Here is the ComboFix scan:

ComboFix 10-08-28.02 - CompAdmin_DW 08/29/2010 16:19:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.99 [GMT -7:00]
Running from: c:\documents and settings\CompAdmin_DW\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-28 01:37 . 2010-08-28 01:37 -------- d-----w- C:\_OTL
2010-08-27 19:54 . 2010-08-27 19:54 -------- d-----w- c:\program files\ESET
2010-08-27 03:09 . 2010-08-27 23:31 -------- d-----w- c:\program files\Java
2010-08-26 02:48 . 2010-08-26 02:48 414 ----a-w- c:\documents and settings\CompAdmin_DW\DisableDrWatson.reg
2010-08-25 02:35 . 2010-08-25 02:35 -------- d-----w- c:\program files\Common Files\Java
2010-08-24 05:32 . 2004-08-10 18:04 0 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\WinPatrol\Config.sys
2010-08-24 05:32 . 2004-08-10 18:04 0 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\WinPatrol\Autoexec.bat
2010-08-24 05:32 . 2010-08-24 05:32 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\WinPatrol
2010-08-24 05:31 . 2010-08-24 05:31 -------- d-----w- c:\program files\BillP Studios
2010-08-22 08:05 . 2010-08-22 08:05 -------- d-sh--w- c:\documents and settings\Dew\PrivacIE
2010-08-22 06:38 . 2010-08-22 06:38 -------- d-----w- c:\program files\microsoft frontpage
2010-08-15 23:28 . 2010-08-15 23:28 2688 ----a-w- c:\documents and settings\CompAdmin_DW\Disable_CinepakEncodedFilesinDirectShow.reg
2010-08-15 01:04 . 2010-08-15 01:04 -------- d-----w- c:\documents and settings\Dew\Application Data\Malwarebytes
2010-08-15 00:24 . 2010-08-15 00:24 566 ----a-w- c:\documents and settings\CompAdmin_DW\MP3_Parser_Backup.reg
2010-08-14 22:39 . 2010-08-14 22:39 2740 ----a-w- c:\documents and settings\CompAdmin_DW\Drivers32_Backup.reg
2010-08-14 04:16 . 2010-08-14 04:16 2540 ----a-w- c:\documents and settings\CompAdmin_DW\Disable_Silverlight.reg
2010-08-14 04:15 . 2010-08-14 04:15 2540 ----a-w- c:\documents and settings\CompAdmin_DW\SL_backup.reg
2010-08-10 04:10 . 2010-08-10 04:10 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\Malwarebytes
2010-08-10 04:10 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 04:10 . 2010-08-10 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 04:10 . 2010-08-10 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 04:10 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 01:32 . 2010-08-10 01:32 -------- d-----w- C:\_OTM
2010-08-08 03:13 . 2010-08-08 03:13 503808 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60eb8bef-n\msvcp71.dll
2010-08-08 03:13 . 2010-08-08 03:13 499712 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60eb8bef-n\jmc.dll
2010-08-08 03:13 . 2010-08-08 03:13 348160 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60eb8bef-n\msvcr71.dll
2010-08-08 03:13 . 2010-08-08 03:13 61440 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2d5c66d7-n\decora-sse.dll
2010-08-08 03:13 . 2010-08-08 03:13 12800 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2d5c66d7-n\decora-d3d.dll
2010-08-07 22:13 . 2010-08-07 22:13 -------- d-----w- c:\documents and settings\CompAdmin_DW\Local Settings\Application Data\WMTools Downloaded Files
2010-08-05 21:18 . 2010-08-05 21:18 503808 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-79864a60-n\msvcp71.dll
2010-08-05 21:18 . 2010-08-05 21:18 499712 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-79864a60-n\jmc.dll
2010-08-05 21:18 . 2010-08-05 21:18 348160 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-79864a60-n\msvcr71.dll
2010-08-05 21:18 . 2010-08-05 21:18 61440 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5783da91-n\decora-sse.dll
2010-08-05 21:18 . 2010-08-05 21:18 12800 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5783da91-n\decora-d3d.dll
2010-08-01 22:44 . 2010-08-26 01:24 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 00:33 . 2010-06-20 06:15 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\ZoomBrowser EX
2010-08-05 23:56 . 2010-06-20 06:16 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\CameraWindowDC
2010-08-01 21:58 . 2010-07-06 22:39 -------- d-----w- c:\program files\NortonInstaller
2010-08-01 21:57 . 2009-02-08 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-17 12:00 . 2010-04-15 22:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 05:03 . 2010-07-11 05:03 -------- d-----w- c:\documents and settings\Dew\Application Data\ZoomBrowser EX
2010-07-11 02:51 . 2010-07-11 02:51 72224 ----a-w- c:\documents and settings\Dew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-08 21:41 . 2009-02-24 03:24 -------- d-----w- c:\program files\Canon
2010-07-08 21:39 . 2010-07-08 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-07-07 03:30 . 2010-07-07 01:27 -------- d-----w- c:\program files\Symantec
2010-07-07 03:30 . 2010-07-07 01:27 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-07 03:30 . 2010-07-07 01:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-07 03:30 . 2010-07-07 01:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-07-07 03:30 . 2010-07-07 01:27 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-07 01:52 . 2010-07-07 01:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-07 01:24 . 2010-07-07 01:24 -------- d-----w- c:\program files\Norton Internet Security
2010-07-05 02:24 . 2009-02-09 21:37 50 -c--a-w- c:\windows\system32\bridf06a.dat
2010-07-05 02:23 . 2009-02-09 21:35 -------- d-----w- c:\program files\Brother
2010-07-05 02:23 . 2010-04-20 21:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-03 22:41 . 2010-07-03 22:41 -------- d-----w- c:\program files\VS Revo Group
2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 04:43 . 2010-06-27 04:43 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-24 12:22 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 01:37 . 2010-06-24 01:37 503808 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b7576b5-n\msvcp71.dll
2010-06-24 01:37 . 2010-06-24 01:37 499712 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b7576b5-n\jmc.dll
2010-06-24 01:37 . 2010-06-24 01:37 348160 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b7576b5-n\msvcr71.dll
2010-06-24 01:37 . 2010-06-24 01:37 61440 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4400c1e1-n\decora-sse.dll
2010-06-24 01:37 . 2010-06-24 01:37 12800 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4400c1e1-n\decora-d3d.dll
2010-06-23 13:44 . 2004-08-10 17:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 03:32 . 2010-06-22 03:32 503808 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-306594ca-n\msvcp71.dll
2010-06-22 03:32 . 2010-06-22 03:32 499712 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-306594ca-n\jmc.dll
2010-06-22 03:32 . 2010-06-22 03:32 348160 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-306594ca-n\msvcr71.dll
2010-06-22 03:31 . 2010-06-22 03:31 61440 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-13d196f4-n\decora-sse.dll
2010-06-22 03:31 . 2010-06-22 03:31 12800 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-13d196f4-n\decora-d3d.dll
2010-06-21 15:27 . 2004-08-10 17:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-20 06:45 . 2010-06-20 06:45 72224 ----a-w- c:\documents and settings\CompAdmin_DW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-20 06:22 . 2010-06-20 06:15 4586 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\wklnhst.dat
2010-06-17 14:03 . 2010-06-17 14:03 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-06-10 00:43 . 2009-03-18 02:55 88 --sh--r- c:\windows\system32\05DBC0C248.sys
2009-06-10 00:43 . 2009-03-18 02:55 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STIMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\STIMON.lnk
backup=c:\windows\pss\STIMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-03-28 23:48 622592 ----a-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-04-10 22:58 61440 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 16:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 16:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 16:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 22:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-05-17 07:58 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-05-17 07:58 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-05-17 07:58 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 22:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-27 01:02 49152 ----a-w- c:\program files\Brother\Brmfl06a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 00:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 18:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [7/6/2010 7:50 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [7/6/2010 7:50 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application

Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [8/9/2010

6:11 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [7/6/2010 7:50 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [7/6/2010 7:50 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [7/6/2010 7:50 PM

126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

[7/6/2010 6:49 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application

Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100827.001\IDSXpx86.sys [8/27/2010

5:36 PM 331640]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP141
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
UPHClean REG_MULTI_SZ UPHClean
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?scope=web&setmkt=en-CA&setlang=SET_NULL&uid=A01618EC&FORM=W5WA
Trusted Zone: adobe.com\www
Trusted Zone: bing.com\www
Trusted Zone: geekstogo.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: secunia.com\psi
FF - ProfilePath - c:\documents and settings\CompAdmin_DW\Application Data\Mozilla\Firefox\Profiles\q9axt25y.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\All Users\Application

Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application

Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program

files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-08-29 16:30:43
ComboFix-quarantined-files.txt 2010-08-29 23:30

Pre-Run: 57,098,366,976 bytes free
Post-Run: 57,050,308,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=AlwaysOn

- - End Of File - - 8D7312F336FE3D4D118B733DC8BA2578

[emeraldnzl]

Hello 10Kay,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Folder::
c:\program files\microsoft frontpage
C:\Program Files\movie maker

boot::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

[10Kay]

Hello emeraldnzl,
I have a question on the following ComboFix Scan Log entry:

--- Other Services/Drivers In Memory

*Deregistered* - PROCEXP141
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
UPHClean REG_MULTI_SZ UPHClean---

I installed Process Explorer - Will deregistering PROCEXP141 make Process Explorer run properly? I also installed UPH Clean - Will deregistering uphcleanhlp make UPH Clean run properly? If uphcleanhlp is a Help entry and is removed, that is fine with me. So long as UPH Clean runs as created.

Thanks so much emeraldnzl.

[10Kay]

Hello emeraldnzl,
Here is the ComboFix.txt Log file with the CFScript.txt with the ComboFix.exe merge.

ComboFix 10-08-28.02 - CompAdmin_DW 08/29/2010 17:45:49.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.148 [GMT -7:00]
Running from: c:\documents and settings\CompAdmin_DW\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\CompAdmin_DW\My Documents\Downloads\CFScript.txt.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\microsoft frontpage . . . .
c:\program files\movie maker . . . .

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.

2010-08-28 01:37 . 2010-08-28 01:37 -------- d-----w- C:\_OTL
2010-08-27 19:54 . 2010-08-27 19:54 -------- d-----w- c:\program files\ESET
2010-08-27 03:09 . 2010-08-27 23:31 -------- d-----w- c:\program files\Java
2010-08-26 02:48 . 2010-08-26 02:48 414 ----a-w- c:\documents and
settings\CompAdmin_DW\DisableDrWatson.reg
2010-08-25 02:35 . 2010-08-25 02:35 -------- d-----w- c:\program files\Common Files\Java
2010-08-24 05:32 . 2010-08-24 05:32 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\WinPatrol
2010-08-24 05:31 . 2010-08-24 05:31 -------- d-----w- c:\program files\BillP Studios
2010-08-22 08:05 . 2010-08-22 08:05 -------- d-sh--w- c:\documents and settings\Dew\PrivacIE
2010-08-22 06:38 . 2010-08-22 06:38 -------- d-----w- c:\program files\microsoft frontpage
2010-08-15 23:28 . 2010-08-15 23:28 2688 ----a-w- c:\documents and
settings\CompAdmin_DW\Disable_CinepakEncodedFilesinDirectShow.reg
2010-08-15 01:04 . 2010-08-15 01:04 -------- d-----w- c:\documents and settings\Dew\Application Data\Malwarebytes
2010-08-15 00:24 . 2010-08-15 00:24 566 ----a-w- c:\documents and
settings\CompAdmin_DW\MP3_Parser_Backup.reg
2010-08-14 22:39 . 2010-08-14 22:39 2740 ----a-w- c:\documents and
settings\CompAdmin_DW\Drivers32_Backup.reg
2010-08-14 04:16 . 2010-08-14 04:16 2540 ----a-w- c:\documents and
settings\CompAdmin_DW\Disable_Silverlight.reg
2010-08-14 04:15 . 2010-08-14 04:15 2540 ----a-w- c:\documents and settings\CompAdmin_DW\SL_backup.reg
2010-08-10 04:10 . 2010-08-10 04:10 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\Malwarebytes
2010-08-10 04:10 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 04:10 . 2010-08-10 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 04:10 . 2010-08-10 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 04:10 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 01:32 . 2010-08-10 01:32 -------- d-----w- C:\_OTM
2010-08-07 22:13 . 2010-08-07 22:13 -------- d-----w- c:\documents and settings\CompAdmin_DW\Local Settings\Application Data\WMTools Downloaded Files
2010-08-01 22:44 . 2010-08-26 01:24 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 03:13 . 2010-08-08 03:13 503808 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60eb8bef-n\msvcp71.dll
2010-08-08 03:13 . 2010-08-08 03:13 499712 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60eb8bef-n\jmc.dll
2010-08-08 03:13 . 2010-08-08 03:13 348160 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60eb8bef-n\msvcr71.dll
2010-08-08 03:13 . 2010-08-08 03:13 61440 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2d5c66d7-n\decora-sse.dll
2010-08-08 03:13 . 2010-08-08 03:13 12800 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2d5c66d7-n\decora-d3d.dll
2010-08-06 00:33 . 2010-06-20 06:15 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\ZoomBrowser EX
2010-08-05 23:56 . 2010-06-20 06:16 -------- d-----w- c:\documents and settings\CompAdmin_DW\Application Data\CameraWindowDC
2010-08-05 21:18 . 2010-08-05 21:18 503808 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-79864a60-n\msvcp71.dll
2010-08-05 21:18 . 2010-08-05 21:18 499712 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-79864a60-n\jmc.dll
2010-08-05 21:18 . 2010-08-05 21:18 348160 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-79864a60-n\msvcr71.dll
2010-08-05 21:18 . 2010-08-05 21:18 61440 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5783da91-n\decora-sse.dll
2010-08-05 21:18 . 2010-08-05 21:18 12800 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5783da91-n\decora-d3d.dll
2010-08-01 21:58 . 2010-07-06 22:39 -------- d-----w- c:\program files\NortonInstaller
2010-08-01 21:57 . 2009-02-08 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-17 12:00 . 2010-04-15 22:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 05:03 . 2010-07-11 05:03 -------- d-----w- c:\documents and settings\Dew\Application Data\ZoomBrowser EX
2010-07-11 02:51 . 2010-07-11 02:51 72224 ----a-w- c:\documents and settings\Dew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-08 21:41 . 2009-02-24 03:24 -------- d-----w- c:\program files\Canon
2010-07-08 21:39 . 2010-07-08 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-07-07 03:30 . 2010-07-07 01:27 -------- d-----w- c:\program files\Symantec
2010-07-07 03:30 . 2010-07-07 01:27 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-07 03:30 . 2010-07-07 01:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-07 03:30 . 2010-07-07 01:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-07-07 03:30 . 2010-07-07 01:27 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-07 01:52 . 2010-07-07 01:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-07 01:24 . 2010-07-07 01:24 -------- d-----w- c:\program files\Norton Internet Security
2010-07-05 02:24 . 2009-02-09 21:37 50 -c--a-w- c:\windows\system32\bridf06a.dat
2010-07-05 02:23 . 2009-02-09 21:35 -------- d-----w- c:\program files\Brother
2010-07-05 02:23 . 2010-04-20 21:47 -------- d--h--w- c:\program files\InstallShield Installation

Information
2010-07-03 22:41 . 2010-07-03 22:41 -------- d-----w- c:\program files\VS Revo Group
2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 04:43 . 2010-06-27 04:43 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-24 12:22 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 01:37 . 2010-06-24 01:37 503808 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b7576b5-n\msvcp71.dll
2010-06-24 01:37 . 2010-06-24 01:37 499712 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b7576b5-n\jmc.dll
2010-06-24 01:37 . 2010-06-24 01:37 348160 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b7576b5-n\msvcr71.dll
2010-06-24 01:37 . 2010-06-24 01:37 61440 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4400c1e1-n\decora-sse.dll
2010-06-24 01:37 . 2010-06-24 01:37 12800 ----a-w- c:\documents and settings\Dew\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4400c1e1-n\decora-d3d.dll
2010-06-23 13:44 . 2004-08-10 17:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 03:32 . 2010-06-22 03:32 503808 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-306594ca-n\msvcp71.dll
2010-06-22 03:32 . 2010-06-22 03:32 499712 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-306594ca-n\jmc.dll
2010-06-22 03:32 . 2010-06-22 03:32 348160 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-306594ca-n\msvcr71.dll
2010-06-22 03:31 . 2010-06-22 03:31 61440 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-13d196f4-n\decora-sse.dll
2010-06-22 03:31 . 2010-06-22 03:31 12800 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-13d196f4-n\decora-d3d.dll
2010-06-21 15:27 . 2004-08-10 17:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-20 06:45 . 2010-06-20 06:45 72224 ----a-w- c:\documents and settings\CompAdmin_DW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-20 06:22 . 2010-06-20 06:15 4586 ----a-w- c:\documents and settings\CompAdmin_DW\Application Data\wklnhst.dat
2010-06-17 14:03 . 2010-06-17 14:03 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-06-10 00:43 . 2009-03-18 02:55 88 --sh--r- c:\windows\system32\05DBC0C248.sys
2009-06-10 00:43 . 2009-03-18 02:55 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STIMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\STIMON.lnk
backup=c:\windows\pss\STIMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-03-28 23:48 622592 ----a-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-04-10 22:58 61440 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 16:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 16:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 16:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 22:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-05-17 07:58 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-05-17 07:58 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-05-17 07:58 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 22:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-27 01:02 49152 ----a-w- c:\program files\Brother\Brmfl06a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 00:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 18:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [7/6/2010 7:50 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [7/6/2010 7:50 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [8/9/2010
6:11 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [7/6/2010 7:50 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [7/6/2010 7:50 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [7/6/2010 7:50 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/6/2010 6:49 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100827.001\IDSXpx86.sys [8/27/2010
5:36 PM 331640]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
UPHClean REG_MULTI_SZ UPHClean
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?scope=web&setmkt=en-CA&setlang=SET_NULL&uid=A01618EC&FORM=W5WA
Trusted Zone: adobe.com\www
Trusted Zone: bing.com\www
Trusted Zone: geekstogo.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: secunia.com\psi
FF - ProfilePath - c:\documents and settings\CompAdmin_DW\Application Data\Mozilla\Firefox\Profiles\q9axt25y.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 17:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2816)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-08-29 18:03:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-30 01:03
ComboFix2.txt 2010-08-29 23:45

Pre-Run: 57,050,509,312 bytes free
Post-Run: 57,045,225,472 bytes free

- - End Of File - - E1E49183627801D925EE589234DE9AB8

[emeraldnzl]

Hello 10Kay,

I have not found that to cause problems in the past. Nevertheless tell me if you notice a difference or there are any error message.

[emeraldnzl]

Oh I see I have cross posted.

Have those two programs gone now?

[10Kay]

Hello emeraldnzl,
The folders microsoft frontpage and Movie Maker are still there and I cannot delete them at all!

Here are some JPEGs of the error messages when I try to delete the folders:

Attached Thumbnails

• 
• 
• 

[emeraldnzl]

Okay, because I specialize in the malware side of things I think I may have missed something here.

My guess is that these two are integral with other microsoft programs you have on your machine.

Is Movie Maker for example in Programs > Accessories?

Not sure about Microsoft Front Page but do you have a version of Microsoft Office that includes it?

Try going to Control Panel > Add or Remove Programs > Add or Remove Windows Components and see if there are items there that can be unticked that will remove them.

Tell me how you get on.

[10Kay]

Hello emeraldnzl,
Here is a screenshot of microsoft frontpage and movie maker under program files.





I just don't recall these files being listed when I had to clean install Windows after formatting hard drive. I did have a trial MS Small Business Office Suite, but I have since uninstalled it (This was before finding out about Revo Uninstaller).

I unchecked document templates under Accessories. So I don't know if I can still use MS Works Word Processor though. I may uninstall MS Works as I don't use it very much.

Before my initial post, I searched on Microsoft's website on these programs. FrontPage is a web developer program. I do not create websites.

Movie Maker, I am not sure whether it was an OEM program or a program that suddenly appeared. According to Microsoft, Movie Maker seems to be integrated with Media Player, which I do still have installed. I don't watch movies on my computer. Internet is too slow for that.

Mayhaps that is why I cannot remove these folders. Just don't know.

Thanks so much.

[emeraldnzl]

Hello 10Kay,

I think your machine is clean of malware.

Mayhaps that is why I cannot remove these folders. Just don't know.

I am not a techie but I do think so.

It might be that the people at the XP Operating System forum at the link below have an answer to your uninstall problems.

http://www.geekstogo...p-2000-2003-nt/

Open a new topic and tell them that you have been here first.

As one oldy to another I want to tell you that it has been a pleasure dealing with you.

We have a couple of last steps to perform and then you're all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Step 2

• Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility.
-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

• Download from here Java Runtime Environment (JDK) Update
• Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.
  
  Reboot your computer.
  You also need to uininstall older versions of Java.
  
• Click Start > Control Panel > Add or Remove Programs
• Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week.

For ease of use, you might consider the following free program:

• TFC.exe

--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.
-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

• It is recommended that you do set Windows to check, download and install your updates automatically.
  
  * Click Start > Control Panel > Automatic Updates
  * Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
  * Click Apply then OK.
  
  And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  
• Malwarebytes
• SuperAntiSpyWare

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!

[10Kay]

Hello emeraldnzl,
Thanks so much for your help. I really appreciate it.

I just have some questions about removal of some of the applications I installed during the malware search on my computer.

Applications: ComboFix, ERUNT, ATF, SUPERAntiSpyware

ComboFix Uninstall Instruction Question: What does "...clean out and reset your Restore Points." mean? Does "reset your Restore Points" follow the same step Disk Cleanup>More Options tab>System Restore>Clean Up?
ERUNT: Can I just leave these programs on my computer? Or are the just taking up space? I don't think XP Home Edition SP3 has a registry backup application.
Temporary File Cleaner: What is the difference between ATF.exe and TFC.exe?
AntiSpyware: I already have Malwarebytes installed on my computer. Would having SUPERAntiSpyware installed duplicate Malwarebytes program as well as NIS 2010 antispyware?

Thanks so much.