Zephyr234

I reformatted and so far so good. Thanks, you and this forum have been a tremendous help!

Dial a Fix repeatedly stalled when it got to the "Stopping Cryptsvc" stage. I was able to run the "windows updates" and "registration center" fixes though, but it hasn't helped. Pressing the "zero" key and the start button works for reformatting, though. I get the message "loading ramdisk image," then the warning "If you are restoring from a backup, did you make sure to backup all important data and configure windows the way you want it restored?" I pressed no and the computer just shut down. I guess I will organize my data for backup before I do this, in the next day or two. I don't understand, however, exactly what was meant by "configure windows the way you want it restored." I thought I would get factory settings and then just go from there. Am I missing something? As part of my backup I downloaded installers for ZoneAlarm firewall and MBAM, so I can install them before I first plug into the web. I have a disk for NAV so I can also install that before plugging in. Is it possible/advisable to download Windows updates, so I could install them before plugging in? Any additional advice or links on reformatting will be very welcome. Thanks!

I haven't redone and reorganized my backup files yet, which will take some time. I didn't want to reformat quite yet, but instead first repair the pc to restore functionality while I prep the reformatting. I only have this one pc. I got the impression from your link that once I start that process by pressing zero and the power switch, I can't stop it (am I wrong? can i just hit escape when I get to the screen with the three reformat options, and then just restart my pc?). I agree that running lengthy tests is a waste of time if I eventually reformat. I believe you already answered my question, but I just wanted to confirm that there seems no quick and simple way to restore the functionality of just internet explorer and windows updates (perhaps by reinstalling just those programs from the Windows Recovery Console at startup?). Am I right that there is no such quick fix for IE and updates? Thanks very much!

Farbar Service Scanner Version: 12-02-2012 Ran by Billy (administrator) on 12-02-2012 at 13:06:14 Running from "C:\Documents and Settings\Billy\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Yahoo IP is accessible. Windows Firewall: ============= sharedaccess Service is not running. Checking service configuration: The start type of sharedaccess service is OK. The ImagePath of sharedaccess service is OK. The ServiceDll of sharedaccess service is OK. winmgmt Service is not running. Checking service configuration: The start type of winmgmt service is OK. The ImagePath of winmgmt service is OK. The ServiceDll of winmgmt service is OK. Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall"=DWORD:0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ Srservice Service is not running. Checking service configuration: The start type of Srservice service is OK. The ImagePath of Srservice service is OK. The ServiceDll of Srservice service is OK. sr Service is not running. Checking service configuration: The start type of sr service is set to Disabled. The default start type is Boot. The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys". System Restore Disabled Policy: ======================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=DWORD:1 Security Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. winmgmt Service is not running. Checking service configuration: The start type of winmgmt service is OK. The ImagePath of winmgmt service is OK. The ServiceDll of winmgmt service is OK. Windows Update: ============ wuauserv Service is not running. Checking service configuration: The start type of wuauserv service is OK. The ImagePath of wuauserv service is OK. The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll". File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= AegisP(9) fssfltr(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3) 0x0A0000000400000001000000020000000300000008000000050000000600000007000000090000000A000000 IpSec Tag value is correct. **** End of log **** MBRScan v1.1.1 OS : Windows XP Home Service Pack 3 (32 bit) PROCESSOR : x86 Family 6 Model 23 Stepping 6, GenuineIntel BOOT : Normal Boot DATE : 2012/02/12 (ISO 8601) at 14:06:09 ________________________________________________________________________________ DISK : Device\Harddisk0\DR0 __Hitachi HTS722016K9S (DCDO) BUS_TYPE : (0x03) P-ATA USE_PIO : YES MAX_TRANSFER : 128 Kb ALIGNMENT_MASK : word aligned ________________________________________________________________________________ Device\Harddisk0\DR0 149.1 Go [Fixed] ==> XP MBR Code MBR_MD5 : 9FCE244AD5F3D26E95AEFD5F769252CE MBR_SHA1 : 0F96913D620A0CE09BDE9FEA1EA79B53A1AEBFD0 Device\Harddisk0\Partition1 144.5 Go 0x07 NTFS / HPFS __ BOOTABLE __ Device\Harddisk0\Partition2 4.55 Go 0x1C Hidden FAT32 [LBA] ________________________________________________________________________________ ############################### Additional scan ################################ DRIVER : C:\WINDOWS\System32\Drivers\dump_iaStor.sys => Invisible on the disk ADDRESS : 0x975FF000 SIZE : 760.0 Ko SystemStartOptions : NOEXECUTE=OPTIN FASTDETECT ________________________________________________________________________________ _______MBR \Device\Harddisk0\DR0 0x00000000 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C 3À.м.|ûP.P.ü¾.| 0x00000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 ¿..PW¹å.ó¤Ë½¾.±. 0x00000020 38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5 8n.|.u..å.âôÍ..õ 0x00000030 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B .Æ.It.8,tö.µ.´.. 0x00000040 F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 Ь<.tü»..´.Í.Ëò. 0x00000050 4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B N.èF.s*þF..~..t. 0x00000060 80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83 .~..t..¶.uò.F... 0x00000070 46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB F...V..è!.s..¶.Ë 0x00000080 BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0 ¼.>þ}Uªt..~..tè. 0x00000090 B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56 ·.Ë©.ü.W.õË¿...V 0x000000A0 00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC .´.Í.r#.Á$?..þ.ü 0x000000B0 43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56 C÷ã.Ñ.ö±.òîB÷â9V 0x000000C0 0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C .w#r.9F.s.¸..».| 0x000000D0 8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A .N..V.Í.sQOtN2ä. 0x000000E0 56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD V.Í.Ëä.V.`»ªU´AÍ 0x000000F0 13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60 .r6.ûUªu0öÁ.t+a` 0x00000100 6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A j.j..v..v.j.h.|j 0x00000110 01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B .j.´B.ôÍ.aas.Ot. 0x00000120 32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61 2ä.V.Í.ËöaùãInva 0x00000130 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 lid partition ta 0x00000140 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E ble.Error loadin 0x00000150 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst 0x00000160 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 em.Missing opera 0x00000170 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 ting system..... 0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001B0 00 00 00 00 00 00 00 00 75 45 76 45 00 00 80 01 ........uEvE.... 0x000001C0 01 00 07 FE FF FF 3F 00 00 00 B0 EE 0F 12 00 00 ...þ..?...°î.... 0x000001D0 C1 FF 1C FE FF FF EF EE 0F 12 D2 9B 91 00 00 00 Á..þ..ïî..ò..... 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

Thank you very much Elise! I'm so relieved about that, but I still need to repair many things that appear to have been damaged during the infection. IE doesn't work in normal mode, Windows updates don't work at all (this was the first thing to go), itunes doesn't function, etc. Can I use windows installer package at C:\WINDOWS\I386\WINNT32 just to do repairs to make my laptop functional before I do any reformatting that I may choose to do? Second, do you have a link to a "how to reformat the hd"? I am using a a Toshiba Tecra A9 Series, and I don't get any option on startup to access system recovery, only a choice to to go to Windows Recovery Console.

35 items found: C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP2\A0002759.sys a variant of Win32/Rootkit.Kryptik.IQ trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP2\A0004616.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP2\A0005613.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP2\A0005668.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP2\A0007655.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP2\A0007722.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0007815.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0008813.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0009813.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0010813.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0010822.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0011822.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0012822.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0012832.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0013832.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0013935.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0014935.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0014943.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0014951.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0014962.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0015962.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0016962.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0017962.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0018083.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020313.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0021466.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0021467.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined C:\TDSSKiller_Quarantine\08.02.2012_17.14.33\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.IQ trojan cleaned by deleting - quarantined C:\TDSSKiller_Quarantine\10.02.2012_11.49.02\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined

I'm afraid after I posted I ran a full MBAM scan with a result of 21 infections, listed below. I'll try normal mode and then the ESET scan. Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.11.05 Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking) Internet Explorer 8.0.6001.18702 Billy :: WBS [administrator] 2/11/2012 2:44:02 PM mbam-log-2012-02-11 (14-44-02).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 322790 Time elapsed: 29 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 21 C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020438.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020439.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020440.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020441.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020442.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020443.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020444.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020445.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020446.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020447.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020448.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020449.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020450.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020451.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020452.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020453.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020454.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020455.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020456.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020457.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0020458.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. (end)

Things work ok in safe mode, I didn't try to restart in normal as that never works now seems lots of things were damaged. (I always have to shut down hidden windows manually when I shut down). I think I will have to at least repair if not reformat. The MBAM quick scan is below: www.malwarebytes.org Database version: v2012.02.11.05 Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking) Internet Explorer 8.0.6001.18702 Billy :: WBS [administrator] 2/11/2012 2:13:39 PM mbam-log-2012-02-11 (14-13-39).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 197458 Time elapsed: 1 minute(s), 50 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

ComboFix 12-02-10.01 - Billy 02/11/2012 13:56:58.11.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1596 [GMT -5:00] Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 ))))))))))))))))))))))))))))))) . . 2012-02-11 16:11 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys 2012-02-11 02:23 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search 2012-02-10 21:27 . 2012-02-10 21:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2012-02-10 21:25 . 2012-02-10 21:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-10 15:40 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys 2012-02-10 15:40 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys 2012-02-10 04:23 . 2012-02-10 17:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2012-02-10 04:23 . 2012-02-08 22:18 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys 2012-02-09 01:31 . 2012-02-09 01:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2012-02-08 22:15 . 2012-02-10 16:49 -------- d-----w- C:\TDSSKiller_Quarantine 2012-02-07 22:43 . 2012-02-07 22:43 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Help 2012-02-07 04:22 . 2012-02-07 04:22 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp 2012-02-07 03:20 . 2012-02-07 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2012-02-06 23:39 . 2012-02-07 05:02 -------- d-----w- c:\program files\Symantec 2012-02-06 23:39 . 2012-02-07 05:02 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2012-02-06 23:39 . 2012-02-07 05:02 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2012-02-06 23:39 . 2012-02-07 20:31 -------- d-----w- c:\windows\system32\drivers\NAV 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Norton AntiVirus 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Windows Sidebar 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-06 23:38 . 2012-02-06 23:38 -------- d-----w- c:\program files\NortonInstaller 2012-02-05 19:55 . 2012-02-11 15:17 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-02-04 20:49 . 2012-02-04 20:49 -------- d-----w- c:\windows\system32\wbem\Repository 2012-02-03 20:59 . 2012-02-03 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-01-21 20:22 . 2012-01-21 20:22 -------- d-----w- c:\program files\iPod 2012-01-13 02:18 . 2012-01-13 02:18 29184 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA9871.exe 2012-01-13 02:18 . 2012-01-13 02:18 28160 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA987.exe 2012-01-13 02:18 . 2012-01-13 02:18 -------- d-----w- c:\documents and settings\Billy\Application Data\Across Lite 2.0 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 20:24 . 2010-05-03 02:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-25 21:57 . 2008-01-10 17:53 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2008-01-10 17:53 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2008-01-10 17:52 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-18 01:38 . 2011-06-14 06:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-16 14:21 . 2008-01-10 17:53 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2008-01-10 17:52 152064 ----a-w- c:\windows\system32\schannel.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-02-09_03.24.42 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-10 17:52 . 2012-02-09 04:29 89036 c:\windows\system32\perfc009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 89036 c:\windows\system32\perfc009.dat + 2008-01-10 17:52 . 2012-02-09 04:29 507450 c:\windows\system32\perfh009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 507450 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "Akamai NetSession Interface"="c:\documents and settings\Billy\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552] "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "NDSTray.exe"="NDSTray.exe" [bU] "TFncKy"="TFncKy.exe" [bU] "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976] "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344] "TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592] "TPSMain"="TPSMain.exe" [2006-07-27 315392] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes Anti-Malware (cleanup)"="c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-05-06 01:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP] 2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\symds.sys [2/7/2012 12:02 AM 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\symefa.sys [2/7/2012 12:02 AM 905336] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/2008 5:11 PM 36608] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120207.003\BHDrvx86.sys [2/8/2012 5:46 PM 820344] S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccsetx86.sys [2/7/2012 12:02 AM 132744] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\ironx86.sys [2/7/2012 12:02 AM 149624] S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/2008 3:16 PM 5888] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/2008 12:53 PM 14336] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568] S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024] S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016] S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe [2/7/2012 12:02 AM 138248] S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856] S2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/2008 3:16 PM 126976] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/6/2012 7:00 PM 106104] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120209.002\IDSXpx86.sys [2/9/2012 9:37 PM 356280] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2/23/2008 3:15 AM 435072] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/10/2008 12:53 PM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM Akamai REG_MULTI_SZ Akamai NecUsbSevice REG_MULTI_SZ NecUsb . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MTDVC2_ENUM RVIEG01 agrsrvce TMKEmu atalk fsma pctavsvc iomegaaccess mozyFilter AEADIFilters tap0901 apache NetTcpActivator nwdls lxbt_device . Contents of the 'Scheduled Tasks' folder . 2012-02-05 c:\windows\Tasks\AdobeAAMUpdater-1.0-WBS-Billy.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-13 08:44] . 2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://nytimes.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: lextranet.com\v5 TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-11 14:04 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll c:\windows\system32\biologon.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll . - - - - - - - > 'lsass.exe'(736) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll . - - - - - - - > 'explorer.exe'(300) c:\windows\system32\WININET.dll . Completion time: 2012-02-11 14:05:40 ComboFix-quarantined-files.txt 2012-02-11 19:05 ComboFix2.txt 2012-02-11 16:42 ComboFix3.txt 2012-02-11 14:35 ComboFix4.txt 2012-02-11 02:56 ComboFix5.txt 2012-02-11 18:56 . Pre-Run: 91,319,844,864 bytes free Post-Run: 91,310,235,648 bytes free . - - End Of File - - 291419D7B0BC783E182123014EF6FFD5

I get nothing before the choice for recovery console. My computer is a Toshiba Tecra A9 Series. I have posted the MBAM log below, which detected 25 objects. As a point of interest, MBAM first alerted me to the nature of the problem, but during the following week since the infection it at least once said "no infections found." Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.11.05 Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking) Internet Explorer 8.0.6001.18702 Billy :: WBS [administrator] 2/11/2012 12:40:22 PM mbam-log-2012-02-11 (12-40-22).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 322479 Time elapsed: 31 minute(s), 38 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 25 C:\WINDOWS\system32\nvmpu401.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir (Trojan.Wimpixo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\msdtc.dll.vir (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{77D9D35D-FC5B-4939-BA43-F3D91D209A31}\RP3\A0018115.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\TDSSKiller_Quarantine\08.02.2012_17.38.06\rtkt0000\svc0000\tsk0000.dta (Rootkit.0Access) -> Quarantined and deleted successfully. C:\WINDOWS\system32\aeaudio.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cdaudio.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\F700ius.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ghaio.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\gs30s.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hmonitor.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\https-admserv61.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\imapiservice.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\imaservice.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mksvirmonsvc.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ntsecure.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\OVT511Plus.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pav_security.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pnmsrv.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rdpdr.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SiSRaid.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SSFS0BB9.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tabletservice.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\toddsrv.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WSIMD.dll (RootKit.0Access.H) -> Quarantined and deleted successfully. (end)

I do get a choice right on startup to go to "Windows Recovery Console," I believe. I had instead intended to use the windows installer package on my hd located at C:\WINDOWS\I386\WINNT32. This may be a premature question, however, because combofix just found rootkit activity. I have pasted the log below: ComboFix 12-02-10.01 - Billy 02/11/2012 11:23:33.10.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1733 [GMT -5:00] Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\$NtUninstallKB23364$ c:\windows\$NtUninstallKB23364$\3025323343 c:\windows\$NtUninstallKB23364$\3155683155\@ c:\windows\$NtUninstallKB23364$\3155683155\cfg.ini c:\windows\$NtUninstallKB23364$\3155683155\Desktop.ini c:\windows\$NtUninstallKB23364$\3155683155\L\fmlqknoz c:\windows\$NtUninstallKB23364$\3155683155\U\00000001.@ c:\windows\$NtUninstallKB23364$\3155683155\U\00000002.@ c:\windows\$NtUninstallKB23364$\3155683155\U\00000004.@ c:\windows\$NtUninstallKB23364$\3155683155\U\80000000.@ c:\windows\$NtUninstallKB23364$\3155683155\U\80000004.@ c:\windows\$NtUninstallKB23364$\3155683155\U\80000032.@ c:\windows\$NtUninstallKB23364$\3155683155\version . Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 ))))))))))))))))))))))))))))))) . . 2012-02-11 16:11 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys 2012-02-11 02:23 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search 2012-02-10 21:27 . 2012-02-10 21:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2012-02-10 21:25 . 2012-02-10 21:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-10 15:40 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys 2012-02-10 15:40 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys 2012-02-10 04:23 . 2012-02-10 17:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2012-02-10 04:23 . 2012-02-08 22:18 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys 2012-02-09 01:31 . 2012-02-09 01:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2012-02-08 22:15 . 2012-02-10 16:49 -------- d-----w- C:\TDSSKiller_Quarantine 2012-02-07 22:43 . 2012-02-07 22:43 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Help 2012-02-07 04:22 . 2012-02-07 04:22 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp 2012-02-07 03:20 . 2012-02-07 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2012-02-06 23:39 . 2012-02-07 05:02 -------- d-----w- c:\program files\Symantec 2012-02-06 23:39 . 2012-02-07 05:02 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2012-02-06 23:39 . 2012-02-07 05:02 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2012-02-06 23:39 . 2012-02-07 20:31 -------- d-----w- c:\windows\system32\drivers\NAV 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Norton AntiVirus 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Windows Sidebar 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-06 23:38 . 2012-02-06 23:38 -------- d-----w- c:\program files\NortonInstaller 2012-02-05 19:55 . 2012-02-11 15:17 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-02-04 20:49 . 2012-02-04 20:49 -------- d-----w- c:\windows\system32\wbem\Repository 2012-02-03 20:59 . 2012-02-03 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-01-21 20:22 . 2012-01-21 20:22 -------- d-----w- c:\program files\iPod 2012-01-13 02:18 . 2012-01-13 02:18 29184 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA9871.exe 2012-01-13 02:18 . 2012-01-13 02:18 28160 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA987.exe 2012-01-13 02:18 . 2012-01-13 02:18 -------- d-----w- c:\documents and settings\Billy\Application Data\Across Lite 2.0 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 20:24 . 2010-05-03 02:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-25 21:57 . 2008-01-10 17:53 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2008-01-10 17:53 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2008-01-10 17:52 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-18 01:38 . 2011-06-14 06:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-16 14:21 . 2008-01-10 17:53 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2008-01-10 17:52 152064 ----a-w- c:\windows\system32\schannel.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-02-09_03.24.42 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-10 17:52 . 2012-02-09 04:29 89036 c:\windows\system32\perfc009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 89036 c:\windows\system32\perfc009.dat + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\WSIMD.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\toddsrv.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\tabletservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SSFS0BB9.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SiSRaid.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\rdpdr.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\pnmsrv.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\pav_security.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\OVT511Plus.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\nvmpu401.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\ntsecure.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\mksvirmonsvc.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\imaservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\imapiservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\https-admserv61.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\hmonitor.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\gs30s.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\ghaio.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\F700ius.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\cdaudio.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\aeaudio.dll + 2008-01-10 17:52 . 2012-02-09 04:29 507450 c:\windows\system32\perfh009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 507450 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "Akamai NetSession Interface"="c:\documents and settings\Billy\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552] "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "NDSTray.exe"="NDSTray.exe" [bU] "TFncKy"="TFncKy.exe" [bU] "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976] "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344] "TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592] "TPSMain"="TPSMain.exe" [2006-07-27 315392] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-05-06 01:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP] 2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\symds.sys [2/7/2012 12:02 AM 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\symefa.sys [2/7/2012 12:02 AM 905336] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/2008 5:11 PM 36608] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120207.003\BHDrvx86.sys [2/8/2012 5:46 PM 820344] S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccsetx86.sys [2/7/2012 12:02 AM 132744] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\ironx86.sys [2/7/2012 12:02 AM 149624] S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/2008 3:16 PM 5888] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/2008 12:53 PM 14336] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568] S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024] S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016] S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe [2/7/2012 12:02 AM 138248] S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856] S2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/2008 3:16 PM 126976] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/6/2012 7:00 PM 106104] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120209.002\IDSXpx86.sys [2/9/2012 9:37 PM 356280] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2/23/2008 3:15 AM 435072] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/10/2008 12:53 PM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM Akamai REG_MULTI_SZ Akamai NecUsbSevice REG_MULTI_SZ NecUsb . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MTDVC2_ENUM RVIEG01 agrsrvce TMKEmu atalk fsma pctavsvc iomegaaccess mozyFilter AEADIFilters tap0901 apache NetTcpActivator nwdls lxbt_device . Contents of the 'Scheduled Tasks' folder . 2012-02-05 c:\windows\Tasks\AdobeAAMUpdater-1.0-WBS-Billy.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-13 08:44] . 2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://nytimes.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: lextranet.com\v5 TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-11 11:39 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll c:\windows\system32\biologon.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll . - - - - - - - > 'lsass.exe'(736) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll . - - - - - - - > 'explorer.exe'(496) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2012-02-11 11:42:24 - machine was rebooted ComboFix-quarantined-files.txt 2012-02-11 16:42 ComboFix2.txt 2012-02-11 14:35 ComboFix3.txt 2012-02-11 02:56 ComboFix4.txt 2012-02-10 16:29 ComboFix5.txt 2012-02-11 16:10 . Pre-Run: 91,307,798,528 bytes free Post-Run: 91,323,072,512 bytes free . - - End Of File - - 3A9921508CDC6B187E4898E879F7AEA3

I cannot tell if I would get warnings as NAV and many other funtions don't work in normal mode, but in safe mode, at least, I haven't gotten any website redirects this am. Thank you Elise! Are there any links for reformatting and/or repairing a hard drive aside from the one you provided in your second post above? My laptop PC came without recovery disks and the manual does not explain anything. Here is the combofix log from this morning: ComboFix 12-02-10.01 - Billy 02/11/2012 9:26.9.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1716 [GMT -5:00] Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 ))))))))))))))))))))))))))))))) . . 2012-02-11 02:23 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search 2012-02-10 21:27 . 2012-02-10 21:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2012-02-10 21:25 . 2012-02-10 21:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-10 15:40 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys 2012-02-10 15:40 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys 2012-02-10 04:23 . 2012-02-10 17:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2012-02-10 04:23 . 2012-02-08 22:18 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys 2012-02-09 01:31 . 2012-02-09 01:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2012-02-08 22:15 . 2012-02-10 16:49 -------- d-----w- C:\TDSSKiller_Quarantine 2012-02-07 22:43 . 2012-02-07 22:43 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Help 2012-02-07 04:22 . 2012-02-07 04:22 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp 2012-02-07 03:20 . 2012-02-07 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2012-02-06 23:39 . 2012-02-07 05:02 -------- d-----w- c:\program files\Symantec 2012-02-06 23:39 . 2012-02-07 05:02 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2012-02-06 23:39 . 2012-02-07 05:02 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2012-02-06 23:39 . 2012-02-07 20:31 -------- d-----w- c:\windows\system32\drivers\NAV 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Norton AntiVirus 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Windows Sidebar 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-06 23:38 . 2012-02-06 23:38 -------- d-----w- c:\program files\NortonInstaller 2012-02-05 19:55 . 2012-02-10 23:18 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-02-04 20:49 . 2012-02-04 20:49 -------- d-----w- c:\windows\system32\wbem\Repository 2012-02-03 20:59 . 2012-02-03 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-01-21 20:22 . 2012-01-21 20:22 -------- d-----w- c:\program files\iPod 2012-01-13 02:18 . 2012-01-13 02:18 29184 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA9871.exe 2012-01-13 02:18 . 2012-01-13 02:18 28160 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA987.exe 2012-01-13 02:18 . 2012-01-13 02:18 -------- d-----w- c:\documents and settings\Billy\Application Data\Across Lite 2.0 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 20:24 . 2010-05-03 02:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-25 21:57 . 2008-01-10 17:53 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2008-01-10 17:53 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2008-01-10 17:52 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-18 01:38 . 2011-06-14 06:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-16 14:21 . 2008-01-10 17:53 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2008-01-10 17:52 152064 ----a-w- c:\windows\system32\schannel.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-02-09_03.24.42 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-10 17:52 . 2012-02-09 04:29 89036 c:\windows\system32\perfc009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 89036 c:\windows\system32\perfc009.dat + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\WSIMD.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\toddsrv.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\tabletservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SSFS0BB9.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SiSRaid.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\rdpdr.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\pnmsrv.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\pav_security.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\OVT511Plus.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\nvmpu401.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\ntsecure.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\mksvirmonsvc.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\imaservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\imapiservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\https-admserv61.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\hmonitor.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\gs30s.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\ghaio.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\F700ius.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\cdaudio.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\aeaudio.dll + 2008-01-10 17:52 . 2012-02-09 04:29 507450 c:\windows\system32\perfh009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 507450 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "Akamai NetSession Interface"="c:\documents and settings\Billy\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552] "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "NDSTray.exe"="NDSTray.exe" [bU] "TFncKy"="TFncKy.exe" [bU] "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976] "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344] "TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592] "TPSMain"="TPSMain.exe" [2006-07-27 315392] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-05-06 01:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP] 2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\symds.sys [2/7/2012 12:02 AM 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\symefa.sys [2/7/2012 12:02 AM 905336] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/2008 5:11 PM 36608] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120207.003\BHDrvx86.sys [2/8/2012 5:46 PM 820344] S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccsetx86.sys [2/7/2012 12:02 AM 132744] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\ironx86.sys [2/7/2012 12:02 AM 149624] S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/2008 3:16 PM 5888] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/2008 12:53 PM 14336] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568] S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024] S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016] S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe [2/7/2012 12:02 AM 138248] S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856] S2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/2008 3:16 PM 126976] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/6/2012 7:00 PM 106104] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120209.002\IDSXpx86.sys [2/9/2012 9:37 PM 356280] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2/23/2008 3:15 AM 435072] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/10/2008 12:53 PM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM Akamai REG_MULTI_SZ Akamai NecUsbSevice REG_MULTI_SZ NecUsb . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MTDVC2_ENUM RVIEG01 agrsrvce TMKEmu atalk fsma pctavsvc iomegaaccess mozyFilter AEADIFilters tap0901 apache NetTcpActivator nwdls lxbt_device . Contents of the 'Scheduled Tasks' folder . 2012-02-05 c:\windows\Tasks\AdobeAAMUpdater-1.0-WBS-Billy.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-13 08:44] . 2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://nytimes.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: lextranet.com\v5 TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-11 09:33 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_e286960.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll c:\windows\system32\biologon.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll . - - - - - - - > 'lsass.exe'(736) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll . - - - - - - - > 'explorer.exe'(796) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2012-02-11 09:35:12 ComboFix-quarantined-files.txt 2012-02-11 14:35 ComboFix2.txt 2012-02-11 02:56 ComboFix3.txt 2012-02-10 16:29 ComboFix4.txt 2012-02-10 05:40 ComboFix5.txt 2012-02-11 14:26 . Pre-Run: 91,338,113,024 bytes free Post-Run: 91,348,320,256 bytes free . - - End Of File - - A981D0FC90675A9CB197F7B5AF554345

After nearly five hours of waiting, unsuccessfully, for NAV to uninstall itself, I finally gave up and just followed your instructions with NAV running. I have pasted the contents of the combofix (with your recommended CFScript dropped into it) log file below: ComboFix 12-02-10.01 - Billy 02/10/2012 21:29:08.8.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1737 [GMT -5:00] Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\$NtUninstallKB23364$ c:\windows\$NtUninstallKB23364$\3155683155\@ c:\windows\$NtUninstallKB23364$\3155683155\cfg.ini c:\windows\$NtUninstallKB23364$\3155683155\Desktop.ini c:\windows\$NtUninstallKB23364$\3155683155\L\fmlqknoz c:\windows\$NtUninstallKB23364$\3155683155\U\00000001.@ c:\windows\$NtUninstallKB23364$\3155683155\U\00000002.@ c:\windows\$NtUninstallKB23364$\3155683155\U\00000004.@ c:\windows\$NtUninstallKB23364$\3155683155\U\80000000.@ c:\windows\$NtUninstallKB23364$\3155683155\U\80000004.@ c:\windows\$NtUninstallKB23364$\3155683155\U\80000032.@ c:\windows\$NtUninstallKB23364$\3155683155\version c:\windows\$NtUninstallKB23364$\4284606208 c:\windows\system32\msdtc.dll . Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_USRPDA -------\Service_USRpdA . . ((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 ))))))))))))))))))))))))))))))) . . 2012-02-11 02:23 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search 2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search 2012-02-10 21:27 . 2012-02-10 21:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2012-02-10 21:25 . 2012-02-10 21:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-10 15:40 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys 2012-02-10 15:40 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys 2012-02-10 04:23 . 2012-02-10 17:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2012-02-10 04:23 . 2012-02-08 22:18 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys 2012-02-09 01:31 . 2012-02-09 01:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2012-02-08 22:15 . 2012-02-10 16:49 -------- d-----w- C:\TDSSKiller_Quarantine 2012-02-07 22:43 . 2012-02-07 22:43 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Help 2012-02-07 04:22 . 2012-02-07 04:22 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp 2012-02-07 03:20 . 2012-02-07 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2012-02-06 23:39 . 2012-02-07 05:02 -------- d-----w- c:\program files\Symantec 2012-02-06 23:39 . 2012-02-07 05:02 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2012-02-06 23:39 . 2012-02-07 05:02 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2012-02-06 23:39 . 2012-02-07 20:31 -------- d-----w- c:\windows\system32\drivers\NAV 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Norton AntiVirus 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Windows Sidebar 2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-06 23:38 . 2012-02-06 23:38 -------- d-----w- c:\program files\NortonInstaller 2012-02-05 19:55 . 2012-02-10 23:18 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-02-04 20:49 . 2012-02-04 20:49 -------- d-----w- c:\windows\system32\wbem\Repository 2012-02-03 20:59 . 2012-02-03 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-01-21 20:22 . 2012-01-21 20:22 -------- d-----w- c:\program files\iPod 2012-01-13 02:18 . 2012-01-13 02:18 29184 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA9871.exe 2012-01-13 02:18 . 2012-01-13 02:18 28160 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA987.exe 2012-01-13 02:18 . 2012-01-13 02:18 -------- d-----w- c:\documents and settings\Billy\Application Data\Across Lite 2.0 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-10 20:24 . 2010-05-03 02:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-25 21:57 . 2008-01-10 17:53 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-11-23 13:25 . 2008-01-10 17:53 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-18 12:35 . 2008-01-10 17:52 60416 ----a-w- c:\windows\system32\packager.exe 2011-11-18 01:38 . 2011-06-14 06:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-16 14:21 . 2008-01-10 17:53 354816 ----a-w- c:\windows\system32\winhttp.dll 2011-11-16 14:21 . 2008-01-10 17:52 152064 ----a-w- c:\windows\system32\schannel.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-02-09_03.24.42 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-10 17:52 . 2012-02-09 04:29 89036 c:\windows\system32\perfc009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 89036 c:\windows\system32\perfc009.dat + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\WSIMD.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\toddsrv.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\tabletservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SSFS0BB9.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SiSRaid.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\rdpdr.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\pnmsrv.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\pav_security.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\OVT511Plus.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\nvmpu401.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\ntsecure.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\mksvirmonsvc.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\imaservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\imapiservice.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\https-admserv61.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\hmonitor.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\gs30s.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\ghaio.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\F700ius.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\cdaudio.dll + 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\aeaudio.dll + 2008-01-10 17:52 . 2012-02-09 04:29 507450 c:\windows\system32\perfh009.dat - 2008-01-10 17:52 . 2012-02-09 03:28 507450 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "Akamai NetSession Interface"="c:\documents and settings\Billy\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552] "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "NDSTray.exe"="NDSTray.exe" [bU] "TFncKy"="TFncKy.exe" [bU] "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976] "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344] "TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592] "TPSMain"="TPSMain.exe" [2006-07-27 315392] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-05-06 01:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP] 2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\symds.sys [2/7/2012 12:02 AM 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\symefa.sys [2/7/2012 12:02 AM 905336] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/10/2008 5:11 PM 36608] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120207.003\BHDrvx86.sys [2/8/2012 5:46 PM 820344] S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccsetx86.sys [2/7/2012 12:02 AM 132744] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\ironx86.sys [2/7/2012 12:02 AM 149624] S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/10/2008 3:16 PM 5888] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/2008 12:53 PM 14336] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568] S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024] S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016] S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe [2/7/2012 12:02 AM 138248] S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856] S2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/10/2008 3:16 PM 126976] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/6/2012 7:00 PM 106104] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120209.002\IDSXpx86.sys [2/9/2012 9:37 PM 356280] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2/23/2008 3:15 AM 435072] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/10/2008 12:53 PM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM Akamai REG_MULTI_SZ Akamai NecUsbSevice REG_MULTI_SZ NecUsb . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs MTDVC2_ENUM RVIEG01 agrsrvce TMKEmu atalk fsma pctavsvc iomegaaccess mozyFilter AEADIFilters tap0901 apache NetTcpActivator nwdls lxbt_device . Contents of the 'Scheduled Tasks' folder . 2012-02-05 c:\windows\Tasks\AdobeAAMUpdater-1.0-WBS-Billy.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-13 08:44] . 2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://nytimes.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: lextranet.com\v5 TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab . - - - - ORPHANS REMOVED - - - - . SafeBoot-42551739.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-10 21:52 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_e286960.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll c:\windows\system32\biologon.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll . - - - - - - - > 'lsass.exe'(744) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll . - - - - - - - > 'explorer.exe'(912) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2012-02-10 21:56:49 - machine was rebooted ComboFix-quarantined-files.txt 2012-02-11 02:56 ComboFix2.txt 2012-02-10 16:29 ComboFix3.txt 2012-02-10 05:40 ComboFix4.txt 2012-02-10 00:41 ComboFix5.txt 2012-02-11 02:22 . Pre-Run: 91,131,211,776 bytes free Post-Run: 91,339,956,224 bytes free . - - End Of File - - 1834951B0919B0E500E2F225033A1A39

I apologize, but in safe mode, I can't figure out how to disable NAV. Unfortunately, my computer seems not to function when I start it in regular mode. I could just uninstall NAV, although I'd rather not if avoidable ...

That's the first thing I tried, I know it's weird, because the systemlook log said "ServiceDll"="%systemroot%\system32\asctrm.dll" I'll try running the systemlook again and immediately go for the file id'd by system look.