:greeting:
I hope I'm not sounding too flattering but I have to say you guys are absolutely amazing, I have read your help of others and it is truly omniscient and I wish everyone in software had your mastery.:bigthumb:

Naturally, I myself have a problem so let me get straight to bothering you with it.

I run windows xp (dual boot with Ubuntu)
On Mar 27 Norton reported Trojan.FakeAV!gen42 And quarantined " C:\Documents and Settings\Tony\Local Settings\Temp\wsmaxencro.tmp"
After this there were a few dialogs from windows saying it could not find the removed file and a several beeps as if the dialog were appearing but invisible so I shut down the computer.
But when I started it up, it told me there was an invalid partition and I was forced to fixmbr. This made me think there was quite a serious infection that Norton did not detect. I did a backup to usb drive (presumably of infected files as well, alas)
I ran Spybot - Search & Destroy which did:
Click.GiftLoad
HijackersC
HKEY_USERS\DEFUALT\Software\Microsoft\Internet Explorer\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

A second scan with Spybot revealed nothing
I restarted the computer without incident.

I then did a full scan with Malwarebytes' Anti-Malware which resulted in:
Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Tony\local settings\Temp\ownxcmesra.tmp (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tony\local settings\Temp\msoxcrenaw.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\projects\art\abstractimagemaker.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\5D.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

But just as Malwarebytes finished, Norton reported and Quarantined two Bloodhound.MalPE from "c:\system volume information\_restore"
After that I shut down, then started in safemode and ran another scan with Malwarebytes which revealed nothing. Then I deleted everything in C:\Documents and Settings\Tony\Local Settings\Temp, and used windows "Disk Cleanup" remove all but my last restore point then shut down and did another fixmbr.

But since all my own flailing around has taken me two full days, I don't remotely believe I have found the whole problem.

Could you tell how bad the situation is?

-------------


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tony at 12:50:33.75 on Wed 03/30/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2208 [GMT 2:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\notepad2\Notepad2.exe
C:\Documents and Settings\Tony\Desktop\virus help\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Google Update] "c:\documents and settings\tony\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] "c:\windows\system32\AESTFltr.exe" /NoDlg
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ApacheTomcatMonitor] "c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6w.exe" //MS//Tomcat6
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tony\applic~1\mozilla\firefox\profiles\34w8kpzw.default\
FF - prefs.js: browser.startup.homepage - file:///C:/documents/startpage.html
FF - plugin: c:\documents and settings\tony\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-17 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-17 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-17 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110325.001\IDSXpx86.sys [2011-3-27 341944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-17 117640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-10-9 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-10-9 112936]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-10 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-20 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110327.001\NAVENG.SYS [2011-3-27 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110327.001\NAVEX15.SYS [2011-3-27 1360760]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-5-10 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-5-10 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-5-10 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-5-10 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-5-10 235840]
S0 ismmp;ismmp;c:\windows\system32\drivers\swwk.sys --> c:\windows\system32\drivers\swwk.sys [?]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
S3 Tomcat6;Apache Tomcat 6;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2009-5-14 57344]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-10-9 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]
.
=============== Created Last 30 ================
.
2011-03-29 19:57:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 19:57:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-29 13:16:59 -------- d-----w- c:\docume~1\tony\applic~1\Malwarebytes
2011-03-29 13:16:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 13:16:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-29 13:16:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 13:16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 13:07:58 -------- d-----w- C:\New Folder
2011-03-28 15:47:12 -------- d-----w- c:\program files\eclipse
2011-03-12 10:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 10:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-10 13:41:57 -------- d-----w- c:\program files\iPod
2011-03-10 13:41:52 -------- d-----w- c:\program files\iTunes
2011-03-10 13:37:52 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-03-30 08:53:57 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-03-30 08:53:55 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-03-30 08:52:41 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-03-08 08:07:40 58288 ------w- c:\windows\system32\rpcnet.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14:45 1864064 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:51:06.26 ===============

nothing shows in the DDS log about the MBR being infected. Maybe your fixMBR took care of it. You still able to boot into your linux partiton ok?
One hallmark of the TDSS family is browser redirection, any of that going on?

Yeah, I can boot to linux no problem. Have been using the linux side all day in fact as I'm a little frightened of my windows install until there's some confidence its safe.

There used to be a few oddities browsing with firefox ( I don't much use IE or Chrome ) most particularly, there was a bazaar announcement that "an add-on had encountered unexpected errors" or words to that effect.

In addition, Norton was complaining allot about google update but is not any more.

The windows side seems quite normal now. But it was really perfectly normal when it had all these infections. Which, I must say, makes a person a bit paranoid.

I know that a young relative of mine (who shall remain nameless) had installed uTorrent on it at one point and I can't image what was downloaded and run.

i thought maybe norton was having a issue with your grub bootloader with the fixmbr message, must be ok if you can boot into linux. If you want you can run combofix to see if it can dig up anything. Theres a guide to read first before using it:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Just as you suggested, ComboFix found a problem.

What may be helpful info concerning the autochk.exe infection: There has long been a huge delay between choosing Start->"Turn Off Computer..." and the little dialog that comes up with the choices "Restart", "Shutdown" and "Stand By"

Also, of the files created from 2011-03-01 to 2011-04-01
I did install ERUNT, Malwarebytes and of course Spybot
And I did reinstall Eclipse and Firefox
_But_ the other items are unknown to me; dlls and sys files are way beyond my understanding.



Here's the ComboFix log
-----------------------

ComboFix 11-03-31.02 - Tony 04/01/2011 11:51:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2424 [GMT 2:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\AutoRun.inf
c:\windows\system32\Cache
.
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\i386\AUTOCHK.EXE
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-31 11:08 . 2011-03-31 11:09 -------- d---a-w- C:\firefox profile backup
2011-03-30 10:18 . 2011-03-30 10:18 -------- d-----w- c:\program files\ERUNT
2011-03-29 19:57 . 2011-03-29 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-29 19:57 . 2011-03-29 20:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 13:16 . 2011-03-29 13:16 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2011-03-29 13:16 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 13:16 . 2011-03-29 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-29 13:16 . 2011-03-29 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 13:16 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 13:07 . 2011-03-29 13:07 -------- d-----w- C:\New Folder
2011-03-28 15:47 . 2011-03-30 19:16 -------- d-----w- c:\program files\eclipse
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-03-10 13:41 . 2011-03-10 13:41 -------- d-----w- c:\program files\iPod
2011-03-10 13:41 . 2011-03-10 13:42 -------- d-----w- c:\program files\iTunes
2011-03-10 13:37 . 2011-03-10 13:37 -------- d-----w- c:\program files\Bonjour
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 10:08 . 2010-03-18 21:21 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-04-01 10:08 . 2010-03-19 00:54 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-01 08:49 . 2010-03-18 21:22 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-03-22 10:19 . 2011-03-22 10:23 7673880 ----a-w- C:\google-appengine-docs-20110211.zip
2011-03-08 08:07 . 2010-11-13 13:06 58288 ------w- c:\windows\system32\rpcnet.exe
2011-02-09 13:53 . 2008-04-25 16:16 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2008-04-25 21:26 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-25 21:26 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-25 16:16 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-28 15:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-03-28 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-03 208896]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"ApacheTomcatMonitor"="c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe" [2009-05-13 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"NVHotkey"="nvHotkey.dll" [2010-10-16 178792]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-25 1753192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM13Mon.exe]
2009-01-19 01:27 36864 ----a-w- c:\windows\OEM13Mon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/17/2010 12:14 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/17/2010 12:14 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/17/2010 12:13 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110325.001\IDSXpx86.sys [3/27/2011 7:47 PM 341944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/17/2010 12:13 AM 117640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 7:07 PM 35088]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [10/9/2009 8:14 PM 4408616]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [10/9/2009 8:16 PM 112936]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/10/2009 6:52 PM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/20/2010 8:07 PM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [5/10/2009 6:52 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [5/10/2009 6:52 PM 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [5/10/2009 6:52 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [5/10/2009 6:52 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [5/10/2009 6:52 PM 235840]
S0 ismmp;ismmp;c:\windows\system32\drivers\swwk.sys --> c:\windows\system32\drivers\swwk.sys [?]
S3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 9:10 AM 24636]
S3 Tomcat6;Apache Tomcat 6;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [5/14/2009 1:15 AM 57344]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/9/2009 8:15 PM 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3479716499-808950968-4228607331-1005Core.job
- c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-28 16:45]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3479716499-808950968-4228607331-1005UA.job
- c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-28 16:45]
.
2009-09-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 11:51]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\linux and windows\
FF - prefs.js: browser.startup.homepage - file:///media/OS/documents/startpage.html
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 12:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1348)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(864)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\drivers\audio\r211990\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\WTouch\WTouchUser.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\program files\IDT\WDM\sttray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-01 12:15:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-01 10:15
.
Pre-Run: 99,736,678,400 bytes free
Post-Run: 101,040,967,680 bytes free
.
- - End Of File - - B26FCA155E1645D7CDACA0949C7E4052

That all looks ok. Check malwarebytes for updates and run it once more then we can call it quits.

Great news!

And Malwarebytes found no more infections. So As you say, we must be done. Thanks enormously again for helping.

Also, I must say Norton is a little disappointing. Is there a replacement you would recommend?

But something else has cropped up:

I have just downloaded and run Avast! for the first time.
It has found about a dozen
Other:malware-gen in java class files.

The scan is still running but I'm posting this in case you want to keep this thread open and in case you think I should do something further.

malware-gen in java class files.
Iam guessing your java needs to be updated, to patch possible exploits. Let it finish the scan and see what it comes up with.

It showed Win32:Hupigon-ONX in pagefile.sys (and some others)

In the log /media/OS/ is my windows C drive

I did the scan by booting to linux and mounting my windows partition and scanning while running linux.

It turns out the "Other:Malware-gen" and "Java:Jade-B" were on linux but all the rest are on the windows partition.

The windows partition, especially Win32:Hupigon-ONX shakes me up.

-----------------the log---------------

2011-04-03 21:34:03 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/g6k1.class'.
2011-04-03 22:02:09 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/y6u7.class'.
2011-04-03 22:11:04 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/g5z6.class'.
2011-04-03 22:11:07 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/main.class'.
2011-04-03 22:11:10 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/q3p0.class'.
2011-04-03 22:13:41 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/h6l4.class'.
2011-04-03 22:13:43 Found virus 'Other:Malware-gen' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/b5n3.class'.
2011-04-03 22:13:45 Found virus 'Java:Jade-B [Heur]' in file '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/Tuggoaerffb.class'.
2011-04-04 00:35:55 Found virus 'Win32:Hupigon-ONX [Trj]' in file '/media/OS/pagefile.sys'.
2011-04-04 01:57:09 Found virus 'Win32:FakeAlert-AAB [Trj]' in file '/media/OS/Program Files/Steam/Steam.exe'.
2011-04-04 02:14:33 Found virus 'HTML:Iframe-inf' in file '/media/OS/projects/brainite/site/index.htm'.
2011-04-04 02:58:51 Found virus 'VBS:Malware-gen' in file '/media/OS/projects/dove/site/htdocs/htmlcache/67DA6C155CF1AE57BF17A53EF3022BBF.html'.
2011-04-04 03:00:01 Found virus 'JS:Agent-IO [Trj]' in file '/media/OS/projects/dove/site/htdocs/htmlcache/B0639D7D785EEC514CF90A0637D60498.html'.

---------------action taken-------------

2011-04-02 18:37:49 Updated virus database to version 110402-1, 04/02/2011.
2011-04-03 22:02:09 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/g6k1.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:11:04 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/y6u7.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:11:07 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/g5z6.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:11:10 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/main.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:13:41 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/q3p0.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:13:43 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/h6l4.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:13:45 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/b5n3.class' infected by 'Other:Malware-gen' added to chest.
2011-04-03 22:13:46 File '/home/tony/.java/deployment/cache/6.0/27/212ee35b-66b472f7/Tuggoaerffb.class' infected by 'Java:Jade-B [Heur]' added to chest.
2011-04-03 22:48:24 Updated virus database to version 110403-1, 04/03/2011.
2011-04-04 02:59:57 File '/media/OS/projects/dove/site/htdocs/htmlcache/67DA6C155CF1AE57BF17A53EF3022BBF.html' infected by 'VBS:Malware-gen' added to chest.
2011-04-04 03:00:19 File '/media/OS/projects/dove/site/htdocs/htmlcache/B0639D7D785EEC514CF90A0637D60498.html' infected by 'JS:Agent-IO [Trj]' added to chest.


As you can see, I did not quarantine my pagefile.sys so I'm reluctant to boot to windows till you give me the go ahead.


Perhaps when the "Other:Malware-gen" appeared when I had an earlier version of java. I dunno. I thought the repostories would keep it up to date. Currently "java -version" shows "1.6.0_24" which I think is the latest.

I wouldnt worry about anything Avast finds on your linux partition. I dont see how it could even scan that partition being that its Avast for Windows.

for Win32:Hupigon-ONX, maybe a false positive

See this and its a very recent link (http://forum.avast.com/index.php?PHPSESSID=15rme0qm7cibavf0flvkerd8j3&topic=57768.0)

Well I was actually running Linux Avast to scan the windows partition. But no matter.

Thanks again!

I woudn't be to confident in results using a Linux app on a Windows install, or the other way around. did that thread in the Avast forum may any sense?

Yes it makes good sense. Even though it is an uncomfortable coincidence that it seems to have occurred at the same time as the infection, I also note that pagefile.sys is normally excluded from this scan because of false positives. (It is not excluded form a linux scan because there is no such file on linux of course)

So let's call it a false positive and a coincidence. I believe that means I'm clean now yes?

Why dont you post one more DDS log just for comparison, then we will call it quits.

Certainly! thanks for looking again.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tony at 16:47:03.92 on Thu 04/07/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2409 [GMT 2:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Tony\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Google Update] "c:\documents and settings\tony\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] "c:\windows\system32\AESTFltr.exe" /NoDlg
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ApacheTomcatMonitor] "c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6w.exe" //MS//Tomcat6
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tony\applic~1\mozilla\firefox\profiles\linux and windows\
FF - prefs.js: browser.startup.homepage - file:///media/OS/documents/startpage.html
FF - plugin: c:\documents and settings\tony\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-17 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-17 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-17 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110401.001\IDSXpx86.sys [2011-4-5 341944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-17 117640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-10-9 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-10-9 112936]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-10 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-20 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110404.033\NAVENG.SYS [2011-4-5 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110404.033\NAVEX15.SYS [2011-4-5 1393144]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-5-10 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-5-10 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-5-10 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-5-10 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-5-10 235840]
S0 ismmp;ismmp;c:\windows\system32\drivers\swwk.sys --> c:\windows\system32\drivers\swwk.sys [?]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
S3 Tomcat6;Apache Tomcat 6;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2009-5-14 57344]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-10-9 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]
.
=============== Created Last 30 ================
.
2011-04-05 15:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCDr
2011-04-05 15:17:07 -------- d-----w- c:\docume~1\tony\applic~1\PCDr
2011-04-05 11:37:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-05 11:37:25 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-01 08:07:07 -------- d-sha-r- C:\cmdcons
2011-04-01 08:07:04 -------- d-----w- c:\windows\setup.pss
2011-04-01 08:06:29 -------- d-----w- c:\windows\setupupd
2011-04-01 07:38:31 98816 ----a-w- c:\windows\sed.exe
2011-04-01 07:38:31 89088 ----a-w- c:\windows\MBR.exe
2011-04-01 07:38:31 256512 ----a-w- c:\windows\PEV.exe
2011-04-01 07:38:31 161792 ----a-w- c:\windows\SWREG.exe
2011-03-31 11:08:51 -------- d---a-w- C:\firefox profile backup
2011-03-29 19:57:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 19:57:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-29 13:16:59 -------- d-----w- c:\docume~1\tony\applic~1\Malwarebytes
2011-03-29 13:16:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 13:16:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-29 13:16:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 13:16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-28 15:47:12 -------- d-----w- c:\program files\eclipse
2011-03-12 10:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 10:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-10 13:41:57 -------- d-----w- c:\program files\iPod
2011-03-10 13:41:52 -------- d-----w- c:\program files\iTunes
2011-03-10 13:37:52 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-04-07 14:39:24 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-04-07 14:39:21 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-07 14:15:08 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-03-08 08:07:40 58288 ------w- c:\windows\system32\rpcnet.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 17:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 16:48:20.73 ===============

ok, looks good. You can remove combofix like this:
start>run and type in combofix /uninstall
click ok or enter
Note the space after the x and before the /

You can make a new restore point, the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot



everybody gets this;

10 Tips for Prevention and Avoidance of Malware:

There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A slide show how to for securing Internet Explorer 8.0 (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) for safer surfing. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads.If you download/install files via p2p networks you will encounter malware. A file can be named anything and be nothing but malware or have malware bundled in it. Can you really trust the source of the file?

More info/tips with pictures, links below

Happy Safe Surfing.