Laptop infected with Virus

[rayoflight]

ComboFix 10-05-22.03 - LT 05/24/2010 2:23.3.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.715 [GMT -4:00]
Running from: c:\documents and settings\LT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LT\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-05 02:11 . 2009-12-30 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-05 02:11 . 2009-12-30 18:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-05 02:11 . 2010-05-05 02:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 00:31 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-05 00:31 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-05 00:31 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-05 00:31 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-05 00:31 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-05 00:31 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-05 00:31 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-05 00:30 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-05 00:30 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-05 00:30 . 2010-05-05 00:30 -------- d-----w- c:\program files\Alwil Software
2010-05-05 00:30 . 2010-05-05 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-05 00:29 . 2010-05-05 00:29 -------- d-----w- C:\Anti_Virus_SW
2010-05-04 23:16 . 2010-02-27 02:23 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-05-04 23:16 . 2010-02-04 01:40 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-05-04 23:16 . 2010-02-04 01:40 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-05-04 23:16 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys
2010-05-04 23:15 . 2010-05-04 23:15 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-04 23:15 . 2010-05-04 23:15 -------- d-----w- c:\program files\Norton 360
2010-05-04 23:15 . 2010-05-04 23:15 -------- d-----w- c:\program files\NortonInstaller
2010-05-02 01:12 . 2010-05-04 23:18 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-02 01:12 . 2010-05-04 23:16 -------- d-----w- c:\program files\Symantec
2010-05-02 01:12 . 2010-05-04 23:16 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-02 01:12 . 2010-05-04 23:16 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-02 01:12 . 2010-05-02 01:12 -------- d-----w- c:\program files\Windows Sidebar
2010-05-02 01:11 . 2010-05-02 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-02 01:07 . 2010-05-04 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-02 00:13 . 2010-05-02 00:13 503808 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e30d559-n\msvcp71.dll
2010-05-02 00:13 . 2010-05-02 00:13 499712 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e30d559-n\jmc.dll
2010-05-02 00:13 . 2010-05-02 00:13 348160 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e30d559-n\msvcr71.dll
2010-05-02 00:13 . 2010-05-02 00:13 61440 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76719865-n\decora-sse.dll
2010-05-02 00:13 . 2010-05-02 00:13 12800 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76719865-n\decora-d3d.dll
2010-05-02 00:13 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-01 23:39 . 2010-05-02 00:50 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-05-01 23:39 . 2010-05-02 00:50 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-05-01 22:54 . 2010-05-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-01 22:54 . 2010-05-01 23:02 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-01 15:35 . 2010-05-01 15:35 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-01 15:35 . 2010-05-01 15:35 97928 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-01 15:35 . 2010-05-01 15:35 26824 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-01 15:34 . 2010-05-02 00:18 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-01 15:33 . 2010-05-03 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-01 14:57 . 2010-05-01 14:57 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 22:10 . 2008-02-14 04:51 0 ----a-w- c:\documents and settings\LT\Local Settings\Application Data\WavXMapDrive.bat
2010-05-05 00:29 . 2008-02-16 00:22 -------- d-----w- c:\documents and settings\LT\Application Data\U3
2010-05-04 23:16 . 2010-05-02 01:12 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-04 23:16 . 2010-05-02 01:12 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-02 00:13 . 2008-02-07 13:50 -------- d-----w- c:\program files\Common Files\Java
2010-05-02 00:13 . 2008-02-07 13:50 -------- d-----w- c:\program files\Java
2010-05-01 22:40 . 2008-02-07 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-01 14:55 . 2009-02-25 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-01 14:14 . 2010-05-01 14:14 0 ----a-w- c:\windows\system32\drivers\SET101.tmp
2010-04-29 14:20 . 2009-12-21 05:30 -------- d-----w- c:\documents and settings\LT\Application Data\vlc
2010-04-21 00:56 . 2010-03-06 23:44 439816 ----a-w- c:\documents and settings\LT\Application Data\Real\Update\setup3.10\setup.exe
2010-04-20 01:58 . 2010-02-06 20:35 50354 ----a-w- c:\documents and settings\LT\Application Data\Facebook\uninstall.exe
2010-04-20 01:58 . 2010-02-06 20:35 -------- d-----w- c:\documents and settings\LT\Application Data\Facebook
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\LT\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 00:34 . 2008-02-16 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-05 00:11 . 2009-08-18 23:18 -------- d-----w- c:\program files\Celtx
2010-03-11 12:38 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-26 13:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2009-04-01 02:13 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2009-04-01 02:13 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 16:00 . 2010-03-07 16:00 118784 ----a-w- c:\documents and settings\LT\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\LT\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 12:31 . 2009-04-01 02:12 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-03-06 17:06 . 2009-03-06 17:06 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-06 17:06 . 2009-03-06 17:06 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-06 17:07 . 2009-03-06 17:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-06-24 15:08 . 2009-06-24 15:08 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\LT\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]
"Aim6"="" [BU]
"Google Update"="c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [BU]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-25 185872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-07 68856]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-09-25 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LoadRunner Agent Process.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LoadRunner Agent Process.lnk
backup=c:\windows\pss\LoadRunner Agent Process.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-08 15:49 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 13:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 04:04 133104 ----atw- c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
2002-12-10 22:32 155648 ----a-w- c:\program files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
2002-12-10 22:31 61440 ----a-w- c:\program files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 21:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-11-25 22:05 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mercury Interactive\\QuickTest Professional\\bin\\AQTRmtAgent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Mercury Interactive\\Mercury LoadRunner\\launch_service\\bin\\magentproc.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\LT\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\LT\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\LT\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\LT\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\LT\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37677:TCP"= 37677:TCP:*:Disabled:ooVoo TCP port 37677
"37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677
"37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5030:TCP"= 5030:TCP:Services
"3265:TCP"= 3265:TCP:Services
"6374:TCP"= 6374:TCP:Services
"3937:TCP"= 3937:TCP:Services
"5089:TCP"= 5089:TCP:Services
"8678:TCP"= 8678:TCP:Services
"3356:TCP"= 3356:TCP:Services
"5212:TCP"= 5212:TCP:Services
"2398:TCP"= 2398:TCP:Services
"3296:TCP"= 3296:TCP:Services
"3179:TCP"= 3179:TCP:Services
"4858:TCP"= 4858:TCP:Services

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS --> c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [?]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/4/2010 8:31 PM 162768]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [5/4/2010 7:16 PM 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\cchpx86.sys [5/4/2010 7:16 PM 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.sys [5/4/2010 7:16 PM 116784]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 4:21 PM 79432]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/4/2010 8:31 PM 19024]
S2 ExpressionService;ExpressionService;c:\program files\Common Files\Mercury Interactive\TDAPIServer\ExpService.exe [4/12/2008 3:53 PM 532548]
S2 LogonService1;LogonService1;c:\program files\Common Files\Mercury Interactive\TDAPIServer\LogonService1.exe [4/12/2008 3:56 PM 86016]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [5/4/2010 7:15 PM 126392]
S2 OtaPool;OtaPool;c:\program files\Common Files\Mercury Interactive\TDAPIServer\OTAPool.exe [4/12/2008 3:53 PM 102400]
S2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2/23/2008 1:27 AM 10951]
S2 SiteScope;SiteScope;c:\inetpub\TDBIN\SITESC~1\tools\SITESC~1.EXE [4/12/2008 3:55 PM 45056]
S2 TDStartStopService;Advanced TestDirector StartStop Service;c:\program files\Common Files\Mercury Interactive\TDStartStop.exe [4/12/2008 3:56 PM 1452032]
S2 TomcatService;TomcatService;c:\inetpub\TDBIN\MTours\jakarta-tomcat-3.3\bin\TomcatService.exe [4/12/2008 3:54 PM 61440]
S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [3/31/2009 10:13 PM 5120]
S3 CheckTestDirectorUserAccount;Check TestDirector User account;c:\program files\Common Files\Mercury Interactive\CheckU.exe [4/12/2008 3:43 PM 342528]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 2:32 PM 97536]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [5/4/2010 7:16 PM 329592]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/4/2010 10:11 PM 38224]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [8/21/2008 2:16 PM 220079]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:49]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3727747301-3168930972-3825058957-1005Core.job
- c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:04]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3727747301-3168930972-3825058957-1005UA.job
- c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080207
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: amtrak.com\vpn
TCP: {992575CE-4F05-4343-88B1-693175150DAD} = 202.144.105.4,202.144.10.50
DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} - hxxp://LT/TDBIN/Spider80.ocx
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://mssepmapp01/projectserver/objects/pjclient.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://LT:8080/qcbin/Spider90.ocx
DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} - hxxp://mssepmapp01/projectserver/objects/1033/pjcintl.cab
DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://10.11.50.178/qcbin/Spider91.cab
FF - ProfilePath - c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\
FF - prefs.js: browser.search.selectedEngine - JobSearch - Dice.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\LT\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\LT\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\LT\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{3191E4CE-790E-42be-B2E0-223475263B7E}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\LT\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\LT\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 02:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(332)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(1012)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-05-24 02:33:45
ComboFix-quarantined-files.txt 2010-05-24 06:33
ComboFix2.txt 2010-05-23 23:28
ComboFix3.txt 2010-05-23 17:56

Pre-Run: 78,766,923,776 bytes free
Post-Run: 78,736,142,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 881D90B170365546FE495AA840696F46

[Blade81]

Hi,

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

[rayoflight]

C:\Documents and Settings\LT\Desktop\HelpAsst_mebroot_fix.exe
Mon 05/24/2010 at 12:06:07.26

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5030:TCP"=-
"3265:TCP"=-
"6374:TCP"=-
"3937:TCP"=-
"5089:TCP"=-
"8678:TCP"=-
"3356:TCP"=-
"5212:TCP"=-
"2398:TCP"=-
"3296:TCP"=-
"3179:TCP"=-
"4858:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5030:TCP"=-
"3265:TCP"=-
"6374:TCP"=-
"3937:TCP"=-
"5089:TCP"=-
"8678:TCP"=-
"3356:TCP"=-
"5212:TCP"=-
"2398:TCP"=-
"3296:TCP"=-
"3179:TCP"=-
"4858:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 05/24/2010 at 13:00:00.75

Account active No
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

[Blade81]

Hi,

Rerun ComboFix (let it update itself) and post back the report.

[rayoflight]

ComboFix 10-05-22.03 - LT 05/24/2010 14:00:03.5.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.791 [GMT -4:00]
Running from: c:\documents and settings\LT\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\kernel32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-24 16:06 . 2010-05-24 16:06 -------- d-----w- C:\HelpAsst_backup
2010-05-05 02:11 . 2009-12-30 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-05 02:11 . 2009-12-30 18:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-05 02:11 . 2010-05-05 02:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 00:31 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-05 00:31 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-05 00:31 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-05 00:31 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-05 00:31 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-05 00:31 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-05 00:31 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-05 00:30 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-05 00:30 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-05 00:30 . 2010-05-05 00:30 -------- d-----w- c:\program files\Alwil Software
2010-05-05 00:30 . 2010-05-05 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-05 00:29 . 2010-05-05 00:29 -------- d-----w- C:\Anti_Virus_SW
2010-05-04 23:16 . 2010-02-27 02:23 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-05-04 23:16 . 2010-02-04 01:40 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-05-04 23:16 . 2010-02-04 01:40 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-05-04 23:16 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys
2010-05-04 23:15 . 2010-05-04 23:15 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-04 23:15 . 2010-05-04 23:15 -------- d-----w- c:\program files\Norton 360
2010-05-04 23:15 . 2010-05-04 23:15 -------- d-----w- c:\program files\NortonInstaller
2010-05-02 01:12 . 2010-05-04 23:18 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-02 01:12 . 2010-05-04 23:16 -------- d-----w- c:\program files\Symantec
2010-05-02 01:12 . 2010-05-04 23:16 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-02 01:12 . 2010-05-04 23:16 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-02 01:12 . 2010-05-02 01:12 -------- d-----w- c:\program files\Windows Sidebar
2010-05-02 01:11 . 2010-05-02 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-02 01:07 . 2010-05-04 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-02 00:13 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-01 23:39 . 2010-05-02 00:50 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-05-01 23:39 . 2010-05-02 00:50 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-05-01 22:54 . 2010-05-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-01 22:54 . 2010-05-01 23:02 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-01 15:35 . 2010-05-01 15:35 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-01 15:35 . 2010-05-01 15:35 97928 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-01 15:35 . 2010-05-01 15:35 26824 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-01 15:34 . 2010-05-02 00:18 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-01 15:33 . 2010-05-03 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-01 14:57 . 2010-05-01 14:57 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 18:13 . 2008-02-14 04:51 0 ----a-w- c:\documents and settings\LT\Local Settings\Application Data\WavXMapDrive.bat
2010-05-05 00:29 . 2008-02-16 00:22 -------- d-----w- c:\documents and settings\LT\Application Data\U3
2010-05-04 23:16 . 2010-05-02 01:12 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-04 23:16 . 2010-05-02 01:12 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-02 00:13 . 2010-05-02 00:13 503808 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e30d559-n\msvcp71.dll
2010-05-02 00:13 . 2010-05-02 00:13 499712 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e30d559-n\jmc.dll
2010-05-02 00:13 . 2010-05-02 00:13 348160 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e30d559-n\msvcr71.dll
2010-05-02 00:13 . 2010-05-02 00:13 61440 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76719865-n\decora-sse.dll
2010-05-02 00:13 . 2010-05-02 00:13 12800 ----a-w- c:\documents and settings\LT\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-76719865-n\decora-d3d.dll
2010-05-02 00:13 . 2008-02-07 13:50 -------- d-----w- c:\program files\Common Files\Java
2010-05-02 00:13 . 2008-02-07 13:50 -------- d-----w- c:\program files\Java
2010-05-01 22:40 . 2008-02-07 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-01 14:55 . 2009-02-25 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-01 14:14 . 2010-05-01 14:14 0 ----a-w- c:\windows\system32\drivers\SET101.tmp
2010-04-29 14:20 . 2009-12-21 05:30 -------- d-----w- c:\documents and settings\LT\Application Data\vlc
2010-04-21 00:56 . 2010-03-06 23:44 439816 ----a-w- c:\documents and settings\LT\Application Data\Real\Update\setup3.10\setup.exe
2010-04-20 01:58 . 2010-02-06 20:35 50354 ----a-w- c:\documents and settings\LT\Application Data\Facebook\uninstall.exe
2010-04-20 01:58 . 2010-02-06 20:35 -------- d-----w- c:\documents and settings\LT\Application Data\Facebook
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\LT\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 00:34 . 2008-02-16 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-05 00:11 . 2009-08-18 23:18 -------- d-----w- c:\program files\Celtx
2010-03-11 12:38 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-26 13:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2009-04-01 02:13 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2009-04-01 02:13 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 16:00 . 2010-03-07 16:00 118784 ----a-w- c:\documents and settings\LT\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\LT\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 12:31 . 2009-04-01 02:12 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-03-06 17:06 . 2009-03-06 17:06 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-06 17:06 . 2009-03-06 17:06 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-06 17:07 . 2009-03-06 17:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-06-24 15:08 . 2009-06-24 15:08 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\LT\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]
"Aim6"="" [BU]
"Google Update"="c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [BU]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-25 185872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-07 68856]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-09-25 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LoadRunner Agent Process.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LoadRunner Agent Process.lnk
backup=c:\windows\pss\LoadRunner Agent Process.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-08 15:49 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 13:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 04:04 133104 ----atw- c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
2002-12-10 22:32 155648 ----a-w- c:\program files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
2002-12-10 22:31 61440 ----a-w- c:\program files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 21:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-11-25 22:05 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mercury Interactive\\QuickTest Professional\\bin\\AQTRmtAgent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Mercury Interactive\\Mercury LoadRunner\\launch_service\\bin\\magentproc.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\LT\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\LT\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\LT\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\LT\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\LT\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37677:TCP"= 37677:TCP:*:Disabled:ooVoo TCP port 37677
"37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677
"37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3992:TCP"= 3992:TCP:Services
"6484:TCP"= 6484:TCP:Services
"6289:TCP"= 6289:TCP:Services
"6290:TCP"= 6290:TCP:Services

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/4/2010 8:31 PM 162768]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 4:21 PM 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/4/2010 8:31 PM 19024]
R2 ExpressionService;ExpressionService;c:\program files\Common Files\Mercury Interactive\TDAPIServer\ExpService.exe [4/12/2008 3:53 PM 532548]
R2 LogonService1;LogonService1;c:\program files\Common Files\Mercury Interactive\TDAPIServer\LogonService1.exe [4/12/2008 3:56 PM 86016]
R2 OtaPool;OtaPool;c:\program files\Common Files\Mercury Interactive\TDAPIServer\OTAPool.exe [4/12/2008 3:53 PM 102400]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2/23/2008 1:27 AM 10951]
R2 SiteScope;SiteScope;c:\inetpub\TDBIN\SITESC~1\tools\SITESC~1.EXE [4/12/2008 3:55 PM 45056]
R2 TDStartStopService;Advanced TestDirector StartStop Service;c:\program files\Common Files\Mercury Interactive\TDStartStop.exe [4/12/2008 3:56 PM 1452032]
R2 TomcatService;TomcatService;c:\inetpub\TDBIN\MTours\jakarta-tomcat-3.3\bin\TomcatService.exe [4/12/2008 3:54 PM 61440]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [3/31/2009 10:13 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 2:32 PM 97536]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS --> c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [5/4/2010 7:16 PM 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\cchpx86.sys [5/4/2010 7:16 PM 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.sys [5/4/2010 7:16 PM 116784]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [5/4/2010 7:15 PM 126392]
S3 CheckTestDirectorUserAccount;Check TestDirector User account;c:\program files\Common Files\Mercury Interactive\CheckU.exe [4/12/2008 3:43 PM 342528]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [5/4/2010 7:16 PM 329592]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/4/2010 10:11 PM 38224]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [8/21/2008 2:16 PM 220079]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:49]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3727747301-3168930972-3825058957-1005Core.job
- c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:04]

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3727747301-3168930972-3825058957-1005UA.job
- c:\documents and settings\LT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080207
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: amtrak.com\vpn
TCP: {992575CE-4F05-4343-88B1-693175150DAD} = 202.144.105.4,202.144.10.50
DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} - hxxp://LT/TDBIN/Spider80.ocx
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://mssepmapp01/projectserver/objects/pjclient.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://LT:8080/qcbin/Spider90.ocx
DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} - hxxp://mssepmapp01/projectserver/objects/1033/pjcintl.cab
DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://10.11.50.178/qcbin/Spider91.cab
FF - ProfilePath - c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\
FF - prefs.js: browser.search.selectedEngine - JobSearch - Dice.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\LT\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\LT\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\LT\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{3191E4CE-790E-42be-B2E0-223475263B7E}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\Firefox\Profiles\krvj0fdt.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\LT\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\LT\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\LT\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 14:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x869F21E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7534fc3
\Driver\ACPI -> ACPI.sys @ 0xf73c7cb8
\Driver\atapi -> 0x869f21e0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x863735c0
PacketIndicateHandler -> NDIS.sys @ 0xf7220a0b
SendHandler -> NDIS.sys @ 0xf7234b31
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1368)
c:\windows\system32\waveGina.dll
c:\windows\system32\AmRes_en.dll
c:\windows\system32\OEM_Resources.dll
c:\program files\Wave Systems Corp\Dell Preboot Manager\PrebootBiosManager.dll
c:\program files\Wave Systems Corp\Authentication Manager\AuthControl2.dll
c:\program files\Wave Systems Corp\Authentication Manager\AuthentecPlugin.dll
c:\windows\system32\ATSC70.dll
c:\program files\Wave Systems Corp\Authentication Manager\upek.dll
c:\windows\system32\BioAPI100.dll
c:\windows\system32\BIOAPI_MDS300.dll
c:\windows\system\tfmessbsp.dll

- - - - - - - > 'lsass.exe'(1424)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Wave Systems Corp\Common\CryptoManager.dll
c:\windows\system32\tcg15.dll
c:\windows\system32\Tsp1.dll
c:\windows\system32\wclient14.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\AmRes_en.dll
c:\program files\Wave Systems Corp\Authentication Manager\UserCredentialStore.dll

- - - - - - - > 'Explorer.exe'(4652)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDDomSrv.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\inetpub\TDBIN\SiteScope\java\bin\java.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE
c:\inetpub\TDBIN\MTours\JavaSoft\JRE\1.2\bin\java.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2010-05-24 14:19:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-24 18:19
ComboFix2.txt 2010-05-24 17:42
ComboFix3.txt 2010-05-24 06:33
ComboFix4.txt 2010-05-23 23:28
ComboFix5.txt 2010-05-24 17:58

Pre-Run: 78,735,286,272 bytes free
Post-Run: 77,624,414,208 bytes free

- - End Of File - - 7C0F80514545FD2E87DB73B7FAC8D446

[Blade81]

Hi,

Any specific reason why you ran ComboFix in safe mode? Don't have to rerun now, I just wanted to know.


1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter (answer yes for confirmation question):

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Double-click HelpAsst_mebroot_fix.exe file and follow its prompts. Reboot when done.

After reboot, click Start>Run and type helpasst -mbrt then hit Enter.
Post the new log that opens when it finishes.

[rayoflight]

Screen froze before I could retrieve the log file so ran combofix in safe mode. Posting the log in few minutes.

[rayoflight]

C:\Documents and Settings\LT\Desktop\HelpAsst_mebroot_fix.exe
Mon 05/24/2010 at 14:52:52.23

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3992:TCP"=-
"6484:TCP"=-
"6289:TCP"=-
"6290:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3992:TCP"=-
"6484:TCP"=-
"6289:TCP"=-
"6290:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 05/24/2010 at 15:08:21.84

Account active No
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

[Blade81]

Did you run fixmbr command in recovery console as instructed?

Click Start>Run and type helpasst -folder then hit Enter.
The tool will run and prompt for confirmation to remove any HelpAssistant folders found.
If prompted, restart your computer.
When complete, click Start>Run and type helpasst -mbrt then hit Enter.
Post the new log that opens when it finishes.

[rayoflight]

Yes I did run fixmbr as instructed.