ChrisCool

here's the combo-fix log. It appeared to a lot, but the virus has returned. I'll also include a malware bytes log run after the combo-fix. ComboFix 10-04-21.01 - Chris and Mary 04/22/2010 18:01:09.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.291 [GMT -4:00] Running from: c:\documents and settings\Chris and Mary\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Fonts\mlog c:\windows\Fonts\services.exe c:\windows\Install.txt c:\windows\system32\1130747.exe c:\windows\system32\1480479.exe c:\windows\system32\2699989.exe c:\windows\system32\3320276.exe c:\windows\system32\3584055.exe c:\windows\system32\3675348.exe c:\windows\system32\3914256.exe c:\windows\system32\4055582.exe c:\windows\system32\4070658.exe c:\windows\system32\4656291.exe c:\windows\system32\4659219.exe c:\windows\system32\4804804.exe c:\windows\system32\5219232.exe c:\windows\system32\5429025.exe c:\windows\system32\5651193.exe c:\windows\system32\626.exe c:\windows\system32\8116708.exe c:\windows\system32\8121896.exe c:\windows\system32\8710886.exe c:\windows\system32\9019129.exe c:\windows\system32\9426522.exe c:\windows\system32\9581857.exe c:\windows\system32\BtwSvc.dll c:\windows\system32\d.bin c:\windows\system32\FInstall.sys c:\windows\system32\Install.txt c:\windows\system32\ms.bin c:\windows\system32\msmesslb.dll c:\windows\system32\mswyrwzq.dll c:\windows\system32\opear.exe c:\windows\system32\PereSvc.exe c:\windows\system32\PowerDes.exe c:\windows\system32\pwdmon.dll c:\windows\system32\so.bin c:\windows\system32\w.exe c:\windows\TEMP\mta13187.dll Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected Restored copy from - Kitty had a snack c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_BTWSVC -------\Service_BtwSvc -------\Legacy_peresvc -------\Service_peresvc ((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 ))))))))))))))))))))))))))))))) . 2010-04-22 22:27 . 2010-04-22 22:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp 2010-04-22 22:09 . 2010-04-22 22:09 196096 ----a-w- c:\windows\system32\4936624.exe 2010-04-22 22:09 . 2010-04-22 22:09 32256 ----a-w- c:\windows\system32\9927286.exe 2010-04-22 22:09 . 2010-04-22 22:09 168775 ----a-w- c:\windows\system32\7073023.exe 2010-04-22 12:18 . 2010-04-22 12:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2010-04-22 01:22 . 2010-04-22 01:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2010-04-22 01:16 . 2010-04-22 12:19 -------- d-----w- c:\documents and settings\Chris and Mary\Local Settings\Application Data\Google 2010-04-22 01:01 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Chris and Mary\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-04-22 01:01 . 2010-04-22 01:01 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-04-22 01:00 . 2010-04-22 01:22 -------- d-----w- c:\program files\Google 2010-04-22 01:00 . 2010-04-22 01:00 106496 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-04-22 01:00 . 2010-04-22 01:00 1975408 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en32_signed.exe 2010-04-22 01:00 . 2010-04-22 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-04-20 02:12 . 2010-04-20 02:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2010-04-20 00:33 . 2010-04-20 00:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-04-19 15:24 . 2010-04-19 15:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-04-17 15:24 . 2010-04-17 15:24 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Epson 2010-04-16 03:25 . 2010-04-16 03:25 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Leadertech 2010-04-16 03:24 . 2007-09-08 00:33 135168 ----a-w- c:\windows\system32\EEBAPI.dll 2010-04-16 03:24 . 2007-03-29 01:26 65536 ----a-w- c:\windows\system32\EEBUtil.dll 2010-04-16 03:21 . 2006-10-31 07:10 51360 ----a-w- c:\windows\system32\EpPicPrt.dll 2010-04-16 03:19 . 2010-04-16 03:20 -------- d-----w- c:\program files\Epson Software 2010-04-16 03:19 . 2009-11-04 12:07 79360 ----a-w- c:\windows\system32\E_FD4BFIA.DLL 2010-04-16 03:19 . 2009-11-04 12:07 93696 ----a-w- c:\windows\system32\E_FLBFIA.DLL 2010-04-16 03:19 . 2010-04-16 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON 2010-04-16 03:18 . 2009-05-01 07:00 15872 ----a-w- c:\windows\system32\escdev.dll 2010-04-16 03:18 . 2009-05-01 07:00 128392 ----a-w- c:\windows\system32\esdevapp.exe 2010-04-16 03:18 . 2008-11-17 07:00 342016 ----a-w- c:\windows\system32\eswiaud.dll 2010-04-16 03:18 . 2010-04-16 03:25 -------- d-----w- c:\program files\epson 2010-04-16 02:56 . 2010-04-16 02:56 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\ZoomBrowser EX 2010-04-16 02:46 . 2004-03-17 21:09 77824 ----a-w- c:\windows\system32\wd_utils.dll 2010-04-16 02:30 . 2010-04-16 02:30 -------- d---a-w- c:\program files\Polar 2010-04-15 05:51 . 2010-04-15 05:51 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Malwarebytes 2010-04-15 05:50 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-15 05:50 . 2010-04-15 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-15 05:50 . 2010-04-15 05:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 05:50 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-15 05:33 . 2010-04-15 05:35 1956808 ----a-w- c:\documents and settings\Chris and Mary\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2010-04-14 02:59 . 2010-04-14 02:59 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\FastStone 2010-04-14 02:58 . 2010-04-14 02:58 -------- d-----w- c:\program files\FastStone Photo Resizer 2010-04-14 02:54 . 2010-04-14 02:54 -------- d-----w- c:\windows\system32\XPSViewer 2010-04-14 02:54 . 2010-04-14 02:54 -------- d-----w- c:\program files\MSBuild 2010-04-14 02:54 . 2010-04-14 02:54 -------- d-----w- c:\program files\Reference Assemblies 2010-04-14 02:54 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll 2010-04-14 02:53 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-04-14 02:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-04-14 02:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-04-14 02:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-04-14 02:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2010-04-14 02:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2010-04-14 02:53 . 2008-07-06 10:50 617984 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe 2010-04-14 02:53 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-04-14 02:50 . 2010-04-14 02:50 -------- d-sh--w- c:\documents and settings\Chris and Mary\IECompatCache 2010-04-13 05:46 . 2010-04-13 05:46 -------- d-----w- c:\program files\iPod 2010-04-13 05:46 . 2010-04-13 05:47 -------- d-----w- c:\program files\iTunes 2010-04-13 05:41 . 2010-04-13 05:52 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Apple Computer 2010-04-13 05:16 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-04-13 05:16 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2010-04-13 05:15 . 2010-04-13 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-04-13 05:14 . 2010-04-13 05:15 -------- d-----w- c:\program files\QuickTime 2010-04-13 05:14 . 2010-04-13 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-04-13 05:14 . 2010-04-13 05:14 -------- d-----w- c:\documents and settings\Chris and Mary\Local Settings\Application Data\Apple 2010-04-13 05:14 . 2010-04-13 05:14 -------- d-----w- c:\program files\Apple Software Update 2010-04-13 05:14 . 2010-04-16 03:19 -------- dc----w- c:\windows\system32\DRVSTORE 2010-04-13 05:14 . 2009-10-16 09:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-13 05:14 . 2009-10-16 09:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-13 05:13 . 2010-04-13 05:13 -------- d-----w- c:\program files\Bonjour 2010-04-13 05:13 . 2010-04-13 05:46 -------- d-----w- c:\program files\Common Files\Apple 2010-04-13 05:13 . 2010-04-13 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-04-13 05:13 . 2010-04-13 05:47 -------- d-----w- c:\documents and settings\Chris and Mary\Local Settings\Application Data\Apple Computer 2010-04-13 04:16 . 2010-04-13 04:18 -------- d-----w- c:\program files\Microsoft Money 2010-04-13 04:03 . 2010-04-13 04:03 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Intuit Canada 2010-04-13 04:03 . 2010-04-13 04:03 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0 2010-04-13 04:03 . 2010-04-13 04:03 -------- d-----w- c:\program files\Common Files\Intuit 2010-04-13 04:03 . 2010-04-13 04:45 -------- d-----w- c:\program files\QuickTax 2009 2010-04-13 04:03 . 2010-04-13 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit Canada 2010-04-12 14:56 . 2010-04-22 01:03 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 14:54 . 2010-04-12 14:54 -------- d-----w- c:\windows\Cache 2010-04-12 06:34 . 2010-04-12 06:34 -------- d-----w- c:\windows\system32\scripting 2010-04-12 06:34 . 2010-04-12 06:34 -------- d-----w- c:\windows\l2schemas 2010-04-12 06:34 . 2010-04-12 06:34 -------- d-----w- c:\windows\system32\en 2010-04-12 06:34 . 2010-04-12 06:34 -------- d-----w- c:\windows\system32\bits 2010-04-12 06:00 . 2010-04-12 06:00 -------- d-sh--w- c:\documents and settings\Chris and Mary\PrivacIE 2010-04-12 05:51 . 2004-03-22 22:17 25840 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll 2010-04-12 05:51 . 2004-03-22 22:17 24816 ----a-w- c:\windows\system32\mdimon.dll 2010-04-12 05:50 . 2010-04-12 05:50 -------- d-----w- c:\program files\Common Files\L&H 2010-04-12 05:50 . 2010-04-12 05:50 -------- d-----w- c:\program files\Microsoft ActiveSync 2010-04-12 05:49 . 2010-04-12 06:06 -------- d-----w- c:\program files\Microsoft Works 2010-04-12 05:49 . 2010-04-12 05:50 -------- d-----w- c:\windows\SHELLNEW 2010-04-12 05:48 . 2010-04-12 05:48 -------- d-----w- c:\program files\Microsoft.NET 2010-04-12 05:46 . 2010-04-12 05:46 -------- d-----r- C:\MSOCache 2010-04-12 05:46 . 2010-04-12 05:46 -------- d-----w- c:\windows\system32\LogFiles 2010-04-12 05:46 . 2010-04-12 05:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-04-12 05:46 . 2010-04-12 05:46 -------- d-sh--w- c:\documents and settings\Chris and Mary\IETldCache 2010-04-12 05:37 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-04-12 05:37 . 2010-02-25 18:54 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-04-12 05:37 . 2010-02-25 06:24 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll 2010-04-12 05:37 . 2010-02-25 06:24 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-04-12 05:37 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-04-12 05:37 . 2010-02-25 06:24 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll 2010-04-12 05:37 . 2010-04-14 03:21 -------- d-----w- c:\windows\ie8updates 2010-04-12 05:37 . 2010-02-16 04:50 64000 ------w- c:\windows\system32\dllcache\iecompat.dll 2010-04-12 05:36 . 2010-04-12 05:37 -------- dc-h--w- c:\windows\ie8 2010-04-12 05:25 . 2010-04-12 06:32 -------- d-----w- c:\windows\ServicePackFiles 2010-04-12 05:24 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll 2010-04-12 05:24 . 2010-04-12 05:24 -------- d-----w- c:\program files\MSXML 4.0 2010-04-12 05:16 . 2004-08-04 05:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys 2010-04-12 04:53 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll 2010-04-12 04:53 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll 2010-04-12 04:53 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll 2010-04-12 04:53 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll 2010-04-12 04:53 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe 2010-04-12 04:53 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe 2010-04-12 04:53 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe 2010-04-12 04:53 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll 2010-04-12 04:53 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll 2010-04-12 04:53 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll 2010-04-12 04:53 . 2010-02-17 16:10 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-04-12 04:53 . 2010-02-16 14:08 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-04-12 04:53 . 2010-02-16 13:25 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-04-12 04:52 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-04-12 04:51 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-04-12 04:50 . 2009-07-31 04:35 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll 2010-04-12 04:50 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2010-04-12 04:47 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-20 02:03 . 2010-04-12 14:58 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\AdobeUM 2010-04-16 03:24 . 2010-04-16 03:21 -------- d-----w- c:\program files\Common Files\EPSON 2010-04-16 03:22 . 2010-04-16 03:21 -------- d-----w- c:\program files\EpsonNet 2010-04-16 03:21 . 2010-04-16 03:21 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\InstallShield 2010-04-12 15:11 . 2010-04-12 15:11 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Canon 2010-04-12 15:05 . 2010-04-12 15:03 -------- d-----w- c:\program files\Canon 2010-04-12 15:04 . 2010-04-12 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser 2010-04-12 14:59 . 2010-04-12 14:59 -------- d-----w- c:\program files\Common Files\Canon 2010-04-12 06:37 . 2004-08-09 17:54 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-04-12 05:24 . 2010-04-12 05:24 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2010-04-12 05:24 . 2010-04-12 05:24 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2010-04-12 03:52 . 2010-04-12 03:52 47 ----a-w- c:\windows\system32\drivers\IBM_8131_35U.MRK 2010-04-12 03:36 . 2010-04-12 03:52 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\IBM 2010-04-12 03:35 . 2010-04-12 03:52 -------- d-----w- c:\documents and settings\Chris and Mary\Application Data\Sonic 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sonic 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\program files\Common Files\Sonic 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\program files\Common Files\SureThing Shared 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\program files\Sonic 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\program files\IBM RecordNow! 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\program files\IBM DLA 2010-04-12 03:35 . 2010-04-12 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ibm 2010-04-12 03:33 . 2010-04-12 03:52 12328 ----a-w- c:\documents and settings\Chris and Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-12 03:32 . 2010-04-12 03:52 136 ----a-w- c:\documents and settings\Chris and Mary\Local Settings\Application Data\fusioncache.dat 2010-03-10 06:15 . 1980-01-01 07:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-25 06:24 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 1980-01-01 07:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 1980-01-01 07:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-04 05:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-02-12 04:33 . 1980-01-01 07:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 1980-01-01 07:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ------- Sigcheck ------- [-] 2008-04-14 . 9C042F6D8437A19D71E1329B23129207 . 78336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [-] 2008-04-14 . F455A4EE781F80B29260B8C91883BC66 . 78336 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe [-] 2004-08-04 . EFBE2282041BA148D8F97DF896DC0D05 . 78336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe [-] 2008-04-14 . 9EF9D20A64CDF034818A13F5B08418DB . 46592 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe [-] 2008-04-14 . CBC3292A8531789125232EC43E622552 . 46592 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe [-] 2004-08-04 . 84E3781AF7B8E2EC69F022B2BDB30DB1 . 45056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe [-] 2008-04-14 . 2FA3FD011DD63718CA88D3C5FF7905FE . 1054208 . . [6.00.2900.5512] . . c:\windows\explorer.exe [-] 2008-04-14 . 142DCE974995CB39E098A38EC15BDAB4 . 1054208 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe [-] 2004-08-04 . 40763A2CF64239B8966A5969102A7E66 . 1052672 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe [-] 2008-04-14 . 26EBB844C9CE1E32C6EC94AA5804E7C6 . 34304 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe [-] 2008-04-14 . 0BE110F01F1723EC35DC4849CA1210ED . 34304 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe [-] 2004-08-04 . 8CEF667BBDF8C9C1C0E1F02E8F7E7177 . 34304 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe [-] 2008-04-14 . DBADCD87EE833D17C374C140D84339E4 . 35840 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe [-] 2008-04-14 . 63FB4861FDA723833D7529603BC98F9E . 35840 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe [-] 2004-08-04 . 350009B87119B013FBE96727AD9B328F . 35840 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-22 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-22 176128] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-22 147456] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1409024] "UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 61756] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 147456] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 131072] "IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 110592] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 442368] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120] "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages] 2004-12-11 04:03 466944 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] 2002-07-17 18:00 221184 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"= "c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"= "c:\\Program Files\\IBM\\Updater\\ucsmb.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"= "c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"= S0 tlqte;tlqte;c:\windows\system32\drivers\brsba.sys --> c:\windows\system32\drivers\brsba.sys [?] S0 wrdbgibe;wrdbgibe;c:\windows\system32\drivers\sxmdun.sys --> c:\windows\system32\drivers\sxmdun.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 9:22 PM 135664] . Contents of the 'Scheduled Tasks' folder 2010-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50] 2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 01:22] 2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 01:22] 2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{5F5A59BF-757F-4527-A3AF-431C8E04230A}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html . - - - - ORPHANS REMOVED - - - - HKLM-Run-UC_SMB - (no file) HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE HKLM-Run-vgswak - c:\windows\system32\mswyrwzq.dll HKLM-Run-xrhukt - c:\windows\system32\msmesslb.dll MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-NAV CfgWiz - c:\program files\Norton AntiVirus\CfgWiz.exe MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe MSConfigStartUp-vgswak - c:\windows\system32\mswyrwzq.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-22 18:30 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\WININET.DLL - - - - - - - > 'explorer.exe'(1240) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\w.exe c:\windows\System32\Rundll32.exe c:\windows\fonts\services.exe c:\windows\TEMP\xq8i.exe c:\windows\TEMP\xq8i.exe c:\windows\system32\msiexec.exe c:\windows\system32\RUNDLL32.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-04-22 18:35:25 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-22 22:35 Pre-Run: 63,100,399,616 bytes free Post-Run: 63,245,651,968 bytes free - - End Of File - - 3C52EC8A01AE76C3C07EB803A5532C0B Malware Bytes log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4020 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/22/2010 7:25:06 PM mbam-log-2010-04-22 (19-25-06).txt Scan type: Quick scan Objects scanned: 112028 Time elapsed: 4 minute(s), 52 second(s) Memory Processes Infected: 3 Memory Modules Infected: 2 Registry Keys Infected: 3 Registry Values Infected: 15 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 13 Memory Processes Infected: C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\PereSvc.exe (Trojan.Koblu) -> Unloaded process successfully. C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Trojan.Koblu) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\PereSvc.exe (Trojan.Koblu) -> Quarantined and deleted successfully. C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\so.bin (Trojan.Koblu) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully. C:\WINDOWS\system32\4936624.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\7073023.exe (Backdoor.Refpron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\7228799.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\8884546.exe (Backdoor.Refpron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

I followed the above steps. Here's the DDS log: DDS (Ver_10-03-17.01) - NTFSx86 Run by Chris and Mary at 21:17:34.21 on Wed 04/21/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.148 [GMT -4:00] AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\DOCUME~1\CHRISA~1\LOCALS~1\Temp\xq8i.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\CHRISA~1\LOCALS~1\Temp\xq8i.exe C:\WINDOWS\system32\w.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\Rundll32.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\DOCUME~1\CHRISA~1\LOCALS~1\Temp\Google Toolbar\gtbB.tmp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\PereSvc.exe C:\WINDOWS\system32\5903.exe C:\Documents and Settings\Chris and Mary\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.ca/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_S8F.tmp" /EF "HKCU" uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe mRun: [uC_SMB] mRun: [<NO NAME>] mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [iBMPRC] c:\ibmtools\utils\ibmprc.exe mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe mRun: [vgswak] RUNDLL32.EXE c:\windows\system32\mswyrwzq.dll,w mRun: [xrhukt] RUNDLL32.EXE c:\windows\system32\msmesslb.dll,w mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mExplorerRun: [zh5l] c:\windows\temp\xq8i.exe mExplorerRun: [exec] c:\windows\fonts\services.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll Notify: igfxcui - igfxsrvc.dll LSA: Notification Packages = scecli pwdmon ============= SERVICES / DRIVERS =============== R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-13 197752] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-13 164984] R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\navapsvc.exe [2004-8-18 176768] R2 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2004-8-4 61440] R2 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2004-7-23 49808] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050109.003\NAVENG.Sys [2010-4-11 72712] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050109.003\NavEx15.Sys [2010-4-11 629544] R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2004-7-23 335504] S0 tlqte;tlqte;c:\windows\system32\drivers\brsba.sys --> c:\windows\system32\drivers\brsba.sys [?] S0 wrdbgibe;wrdbgibe;c:\windows\system32\drivers\sxmdun.sys --> c:\windows\system32\drivers\sxmdun.sys [?] S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-18 66688] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-13 78968] S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2004-7-23 197864] =============== Created Last 30 ================ 2010-04-22 01:16:38 62496 ----a-w- c:\windows\system32\MSWINSCK.OCX 2010-04-22 01:16:38 196096 ----a-w- c:\windows\system32\4659219.exe 2010-04-22 01:16:30 33280 ----a-w- c:\windows\system32\4070658.exe 2010-04-22 01:16:20 88576 ----a-w- c:\windows\system32\w.exe 2010-04-22 01:16:20 44544 ----a-w- c:\windows\system32\ms.bin 2010-04-22 01:16:20 40960 ----a-w- c:\windows\system32\so.bin 2010-04-22 01:16:20 36864 ----a-w- c:\windows\system32\d.bin 2010-04-22 01:16:20 170047 ----a-w- c:\windows\system32\3320276.exe 2010-04-22 00:55:57 33280 ----a-w- c:\windows\system32\4656291.exe 2010-04-22 00:46:16 33280 ----a-w- c:\windows\system32\3914256.exe 2010-04-22 00:46:07 36865 ----a-w- c:\windows\system32\msmesslb.dll 2010-04-21 00:36:26 7168 ----a-w- c:\windows\system32\5651193.exe 2010-04-21 00:20:14 7168 ----a-w- c:\windows\system32\8710886.exe 2010-04-21 00:17:13 7168 ----a-w- c:\windows\system32\8121896.exe 2010-04-21 00:01:20 7168 ----a-w- c:\windows\system32\9426522.exe 2010-04-21 00:01:11 36865 ----a-w- c:\windows\system32\mswyrwzq.dll 2010-04-21 00:00:22 2148 ----a-w- c:\windows\system32\wpa.dbl 2010-04-20 02:16:00 0 d-sha-r- C:\autorun.inf 2010-04-19 15:25:04 36865 ------w- c:\windows\system32\xsardmhq.dyw 2010-04-17 15:29:53 0 ----a-w- c:\windows\EEventManager.INI 2010-04-16 03:24:45 77824 ----a-w- c:\windows\system32\EBAPI.dll 2010-04-16 03:24:45 65536 ----a-w- c:\windows\system32\EEBUtil.dll 2010-04-16 03:24:45 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll 2010-04-16 03:24:45 135168 ----a-w- c:\windows\system32\EEBAPI.dll 2010-04-16 03:24:45 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll 2010-04-16 03:21:51 0 d-----w- c:\program files\EpsonNet 2010-04-16 03:21:33 0 d-----w- c:\program files\common files\EPSON 2010-04-16 03:19:48 0 d-----w- c:\program files\Epson Software 2010-04-16 03:19:26 93696 ----a-w- c:\windows\system32\E_FLBFIA.DLL 2010-04-16 03:19:26 79360 ----a-w- c:\windows\system32\E_FD4BFIA.DLL 2010-04-16 03:19:11 0 d-----w- c:\docume~1\alluse~1\applic~1\EPSON 2010-04-16 03:18:53 342016 ----a-w- c:\windows\system32\eswiaud.dll 2010-04-16 03:18:53 15872 ----a-w- c:\windows\system32\escdev.dll 2010-04-16 03:18:53 128392 ----a-w- c:\windows\system32\esdevapp.exe 2010-04-16 03:18:48 0 d-----w- c:\program files\epson 2010-04-16 03:16:41 79 ----a-w- c:\windows\EPNX510.ini 2010-04-16 02:56:11 0 d-----w- c:\docume~1\chrisa~1\applic~1\ZoomBrowser EX 2010-04-16 02:46:29 77824 ----a-w- c:\windows\system32\wd_utils.dll 2010-04-16 02:30:03 0 d---a-w- c:\program files\Polar 2010-04-15 05:51:00 0 d-----w- c:\docume~1\chrisa~1\applic~1\Malwarebytes 2010-04-15 05:50:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-15 05:50:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-04-15 05:50:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-15 05:50:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 05:06:43 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat 2010-04-14 02:59:18 0 d-----w- c:\docume~1\chrisa~1\applic~1\FastStone 2010-04-14 02:58:34 0 d-----w- c:\program files\FastStone Photo Resizer 2010-04-14 02:54:40 0 d-----w- c:\windows\system32\XPSViewer 2010-04-14 02:53:58 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-04-14 02:53:58 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-04-14 02:53:58 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-04-14 02:53:58 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-04-14 02:53:58 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-04-14 02:53:58 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2010-04-14 02:53:58 117760 ------w- c:\windows\system32\prntvpt.dll 2010-04-14 02:50:33 0 d-sh--w- c:\documents and settings\chris and mary\IECompatCache 2010-04-13 05:46:23 0 d-----w- c:\program files\iPod 2010-04-13 05:46:18 0 d-----w- c:\program files\iTunes 2010-04-13 05:34:39 0 d-----w- c:\windows\system32\appmgmt 2010-04-13 05:16:09 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-04-13 05:16:09 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2010-04-13 05:15:23 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-04-13 05:14:13 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-13 05:14:13 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-13 05:13:52 0 d-----w- c:\program files\Bonjour 2010-04-13 04:16:36 0 d-----w- c:\program files\Microsoft Money 2010-04-13 04:03:58 0 d-----w- c:\docume~1\chrisa~1\applic~1\Intuit Canada 2010-04-13 04:03:43 0 d-----w- c:\program files\common files\AnswerWorks 4.0 2010-04-13 04:03:40 0 d-----w- c:\program files\common files\Intuit 2010-04-13 04:03:31 0 d-----w- c:\program files\QuickTax 2009 2010-04-13 04:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit Canada 2010-04-12 15:09:42 5632 ----a-w- c:\windows\system32\ptpusb.dll 2010-04-12 15:09:42 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2010-04-12 15:09:42 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys 2010-04-12 15:09:41 159232 ----a-w- c:\windows\system32\ptpusd.dll 2010-04-12 15:04:45 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser 2010-04-12 15:03:28 0 d-----w- c:\program files\Canon 2010-04-12 14:59:15 0 d-----w- c:\program files\common files\Canon 2010-04-12 14:54:30 0 d-----w- c:\windows\Cache 2010-04-12 06:34:53 0 d-----w- c:\windows\system32\scripting 2010-04-12 06:34:52 0 d-----w- c:\windows\l2schemas 2010-04-12 06:34:51 0 d-----w- c:\windows\system32\en 2010-04-12 06:34:51 0 d-----w- c:\windows\system32\bits 2010-04-12 06:30:11 0 d-----w- c:\windows\network diagnostic 2010-04-12 06:08:50 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cada069f2be656.mof 2010-04-12 06:00:33 0 d-sh--w- c:\documents and settings\chris and mary\PrivacIE 2010-04-12 05:52:02 376 ----a-w- c:\windows\ODBC.INI 2010-04-12 05:51:57 24816 ----a-w- c:\windows\system32\mdimon.dll 2010-04-12 05:50:49 0 d-----w- c:\program files\common files\L&H 2010-04-12 05:50:35 0 d-----w- c:\program files\Microsoft ActiveSync 2010-04-12 05:49:30 0 d-----w- c:\windows\SHELLNEW 2010-04-12 05:46:30 0 d-----w- c:\windows\system32\LogFiles 2010-04-12 05:46:06 0 d-sh--w- c:\documents and settings\chris and mary\IETldCache 2010-04-12 05:37:51 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-04-12 05:37:50 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll 2010-04-12 05:37:50 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-04-12 05:37:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-04-12 05:37:50 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll 2010-04-12 05:37:50 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-04-12 05:37:45 0 d-----w- c:\windows\ie8updates 2010-04-12 05:37:41 64000 ------w- c:\windows\system32\dllcache\iecompat.dll 2010-04-12 05:36:28 0 dc-h--w- c:\windows\ie8 2010-04-12 05:25:21 0 d-----w- c:\windows\ServicePackFiles 2010-04-12 05:24:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2010-04-12 05:24:31 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2010-04-12 05:24:06 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll 2010-04-12 05:24:02 0 d-----w- c:\program files\MSXML 4.0 2010-04-12 05:16:04 64352 ------w- c:\windows\system32\drivers\ativmc20.cod 2010-04-12 04:52:05 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-04-12 04:51:45 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-04-12 04:50:35 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll 2010-04-12 04:50:33 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2010-04-12 04:47:52 2560 ------w- c:\windows\system32\xpsp4res.dll 2010-04-12 04:47:52 215552 ------w- c:\windows\system32\dllcache\wordpad.exe 2010-04-12 04:47:52 1206508 ------w- c:\windows\system32\dllcache\sysmain.sdb 2010-04-12 04:47:17 272128 ------w- c:\windows\system32\drivers\bthport.sys 2010-04-12 04:47:17 272128 ------w- c:\windows\system32\dllcache\bthport.sys 2010-04-12 04:47:01 353792 ------w- c:\windows\system32\dllcache\srv.sys 2010-04-12 04:46:40 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2010-04-12 04:45:36 81920 ------w- c:\windows\system32\dllcache\fontsub.dll 2010-04-12 04:45:36 119808 ------w- c:\windows\system32\dllcache\t2embed.dll 2010-04-12 04:45:27 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2010-04-12 04:42:37 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx 2010-04-12 04:40:05 203136 ------w- c:\windows\system32\dllcache\rmcast.sys 2010-04-12 04:39:59 331776 ------w- c:\windows\system32\dllcache\msadce.dll 2010-04-12 04:39:36 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll 2010-04-12 04:36:37 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll 2010-04-12 04:36:18 337408 ------w- c:\windows\system32\dllcache\netapi32.dll 2010-04-12 04:30:21 0 d-----w- c:\windows\system32\PreInstall 2010-04-12 04:30:20 26144 ----a-w- c:\windows\system32\spupdsvc.exe 2010-04-12 03:58:59 0 d-----w- c:\program files\CCleaner 2010-04-12 03:56:53 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-04-12 03:56:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2010-04-12 03:55:29 7280 ----a-r- c:\windows\system32\ZSHP1018.HLP 2010-04-12 03:55:28 86016 ----a-r- c:\windows\system32\ZSPOOL.DLL 2010-04-12 03:55:28 462848 ----a-r- c:\windows\system32\ZSHP1018.EXE 2010-04-12 03:55:28 28672 ----a-r- c:\windows\system32\ZLM.DLL 2010-04-12 03:55:28 28672 ----a-r- c:\windows\system32\IMF32.DLL 2010-04-12 03:55:28 24576 ----a-r- c:\windows\system32\ZTAG32.DLL 2010-04-12 03:55:28 129092 ----a-r- c:\windows\system32\hp1018.img 2010-04-12 03:55:28 106496 ----a-r- c:\windows\system32\VSHP1018.DLL 2010-04-12 03:55:28 102400 ----a-r- c:\windows\system32\ZLhp1018.DLL 2010-04-12 03:52:01 0 d-----w- c:\docume~1\chrisa~1\applic~1\Symantec 2010-04-12 03:52:01 0 d-----w- c:\docume~1\chrisa~1\applic~1\IBM 2010-04-12 03:50:59 0 d-----w- c:\windows\system32\SoftwareDistribution 2010-04-12 03:50:44 0 d-----w- C:\RRUbackups 2010-04-12 03:49:20 2409 ----a-w- c:\windows\system32\$winnt$.inf 2010-04-12 03:49:13 8192 ----a-w- c:\windows\REGLOCS.OLD 2010-04-12 03:42:48 0 ---ha-w- C:\BOOTLOG.PRV 2010-04-12 03:42:07 0 d-----w- C:\Books 2010-04-12 03:41:05 0 d-----w- C:\IBMSHARE 2010-04-12 03:40:58 308 ----a-w- C:\ccrrec.ver 2010-04-12 03:40:54 54076 ----a-w- c:\windows\system32\drivers\psasrv.exe 2010-04-12 03:40:54 13184 ----a-w- c:\windows\system32\drivers\psadd.sys 2010-04-12 03:38:21 0 d-----w- c:\program files\Norton AntiVirus 2010-04-12 03:37:56 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-04-12 03:37:56 103952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-04-12 03:37:48 0 d-----w- c:\program files\Symantec 2010-04-12 03:37:48 0 d-----w- c:\program files\common files\Symantec Shared 2010-04-12 03:37:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec 2010-04-12 03:37:29 12416 ----a-w- c:\windows\system32\drivers\PcdrNdisuio.sys 2010-04-12 03:37:17 0 d-----w- c:\program files\PC-Doctor for Windows 2010-04-12 03:36:12 61440 ----a-w- c:\windows\system32\IBMJavaPlugin142.cpl 2010-04-12 03:35:54 0 d-----w- c:\program files\common files\Sonic 2010-04-12 03:35:26 0 d-----w- c:\program files\common files\SureThing Shared 2010-04-12 03:35:25 0 d-----w- c:\program files\Sonic 2010-04-12 03:35:25 0 d-----w- c:\program files\IBM RecordNow! 2010-04-12 03:35:23 0 d-----w- c:\program files\IBM DLA 2010-04-12 03:35:00 0 d-----w- c:\docume~1\alluse~1\applic~1\ibm 2010-04-12 03:34:26 0 d-----w- C:\icons 2010-04-12 03:33:46 0 d-----w- c:\program files\IBM 2010-04-12 03:32:43 656 ----a-w- c:\windows\system32\InstallUtil.InstallLog 2010-04-12 03:32:39 0 d-----w- c:\program files\Windows Media Connect 2010-04-12 03:32:28 163840 ----a-w- c:\windows\system32\igfxres.dll 2010-04-12 03:30:14 333 ----a-w- c:\windows\system32\$ncsp$.inf 2010-04-12 03:29:43 235100 ----a-w- c:\windows\system32\drivers\MidiSyn.sys 2010-04-12 03:29:32 30208 ----a-w- c:\windows\system32\wdmioctl.dll 2010-04-12 03:29:32 1285632 ----a-w- c:\windows\system32\SMMedia.dll 2010-04-12 03:29:31 991232 ----a-w- c:\windows\system32\virtear.dll 2010-04-12 03:29:31 765952 ----a-w- c:\windows\system\crlds3d.dll 2010-04-12 03:29:31 69632 ----a-w- c:\windows\system32\DSndUp.exe 2010-04-12 03:29:31 65536 ----a-w- c:\windows\system32\CleanUp.exe 2010-04-12 03:29:31 65536 ----a-w- c:\windows\system32\Audio3d.dll 2010-04-12 03:29:31 0 d-----w- c:\windows\VirtualEar 2010-04-12 03:29:31 0 d-----w- c:\program files\Analog Devices 2010-04-12 03:28:42 693 ----a-w- C:\SYSLEVEL.IBM 2010-04-12 03:27:50 0 d-----w- c:\windows\system32\URTTemp 2010-04-12 03:27:38 0 d--h--w- c:\windows\$hf_mig$ 2010-04-12 03:27:08 0 d-----w- c:\windows\RegisteredPackages 2010-04-12 03:25:45 0 d-----w- c:\windows\system32\ReinstallBackups 2010-04-12 03:24:39 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-04-12 03:24:37 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2010-04-12 03:24:36 21504 ----a-w- c:\windows\system32\hidserv.dll 2010-04-12 03:24:22 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2010-04-12 03:24:17 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys 2010-04-12 03:24:15 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2010-04-12 03:24:11 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2010-04-12 03:23:47 7168 ----a-w- c:\windows\system32\hccoin.dll 2010-04-12 03:23:47 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys 2010-04-12 03:22:40 2481 ----a-w- c:\windows\system32\OEMINFO.INI 2010-04-12 03:22:30 0 d-----w- C:\DRIVERS 2010-04-12 03:19:01 0 d-----w- C:\ibmtools ==================== Find3M ==================== 2010-04-12 03:52:09 47 ----a-w- c:\windows\system32\drivers\IBM_8131_35U.MRK 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-25 06:24:37 916480 ------w- c:\windows\system32\dllcache\wininet.dll 2010-02-25 06:24:37 611840 ------w- c:\windows\system32\dllcache\mstime.dll 2010-02-25 06:24:37 206848 ------w- c:\windows\system32\dllcache\occache.dll 2010-02-25 06:24:37 1209344 ------w- c:\windows\system32\dllcache\urlmon.dll 2010-02-25 06:24:36 5944832 ------w- c:\windows\system32\dllcache\mshtml.dll 2010-02-25 06:24:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll 2010-02-25 06:24:35 184320 ------w- c:\windows\system32\dllcache\iepeers.dll 2010-02-25 06:24:34 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll 2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll 2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys ============= FINISH: 21:18:58.76 =============== Here's the MalwareBytes's log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4020 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/21/2010 9:14:06 PM mbam-log-2010-04-21 (21-14-06).txt Scan type: Quick scan Objects scanned: 114373 Time elapsed: 7 minute(s), 23 second(s) Memory Processes Infected: 2 Memory Modules Infected: 2 Registry Keys Infected: 3 Registry Values Infected: 16 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 36 Memory Processes Infected: C:\WINDOWS\system32\PereSvc.exe (Trojan.Koblu) -> Unloaded process successfully. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Trojan.Koblu) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\windows\fonts\services.exe -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Agent) -> Data: c:\windows\fonts\services.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\PereSvc.exe (Trojan.Koblu) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Delete on reboot. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc1.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc10.exe (Trojan.RefPron) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc12.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc15.bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc16.bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc17.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc18.bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc2.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc3.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc7.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc8.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc9.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\so.bin (Trojan.Koblu) -> Quarantined and deleted successfully. C:\WINDOWS\system32\1086069.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\1778941.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\2339899.exe (Trojan.RefPron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\3490977.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\3935205.exe (Backdoor.Refpron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully. C:\WINDOWS\system32\5210642.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\5267298.exe (Backdoor.Refpron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\7097895.exe (Trojan.RefPron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\7251703.exe (Trojan.RefPron) -> Quarantined and deleted successfully. C:\WINDOWS\system32\765513.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\7717051.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\876385.exe (Trojan.RefPron) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\VRTB.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4RIRQV65\w[1].bin (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNHXZSXZ\w[1].bin (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

Hi Borislav, Thank you for helping me. Attached are the DDS.txt and Attach.txt logs The GMER program either causes a BSOD or reboots my machine. Cheers, Chris DDS (Ver_10-03-17.01) - NTFSx86 Run by Chris and Mary at 20:07:38.95 on Tue 04/20/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.111 [GMT -4:00] AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\w.exe C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\9426522.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\PereSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\3849.exe C:\Documents and Settings\Chris and Mary\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.ca/ uInternet Settings,ProxyOverride = *.local BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_S8F.tmp" /EF "HKCU" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe mRun: [uC_SMB] mRun: [<NO NAME>] mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [iBMPRC] c:\ibmtools\utils\ibmprc.exe mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe mRun: [vgswak] RUNDLL32.EXE c:\windows\system32\mswyrwzq.dll,w mExplorerRun: [zh5l] c:\docume~1\chrisa~1\locals~1\temp\xq8i.exe mExplorerRun: [exec] c:\windows\fonts\services.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll Notify: igfxcui - igfxsrvc.dll LSA: Notification Packages = scecli pwdmon ============= SERVICES / DRIVERS =============== R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050109.003\NAVENG.Sys [2010-4-11 72712] =============== Created Last 30 ================ 2010-04-21 00:01:20 7168 ----a-w- c:\windows\system32\9426522.exe 2010-04-21 00:01:17 62496 ------w- c:\windows\system32\MSWINSCK.OCX 2010-04-21 00:01:17 196096 ----a-w- c:\windows\system32\5210642.exe 2010-04-21 00:01:11 36865 ----a-w- c:\windows\system32\mswyrwzq.dll 2010-04-21 00:01:08 88576 ------w- c:\windows\system32\w.exe 2010-04-21 00:01:08 172171 ----a-w- c:\windows\system32\876385.exe 2010-04-21 00:00:22 2148 ----a-w- c:\windows\system32\wpa.dbl 2010-04-20 02:16:00 0 d-sha-r- C:\autorun.inf 2010-04-19 15:25:04 36865 ------w- c:\windows\system32\xsardmhq.dyw 2010-04-17 15:29:53 0 ----a-w- c:\windows\EEventManager.INI 2010-04-16 03:24:45 77824 ----a-w- c:\windows\system32\EBAPI.dll 2010-04-16 03:24:45 65536 ----a-w- c:\windows\system32\EEBUtil.dll 2010-04-16 03:24:45 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll 2010-04-16 03:24:45 135168 ----a-w- c:\windows\system32\EEBAPI.dll 2010-04-16 03:24:45 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll 2010-04-16 03:21:51 0 d-----w- c:\program files\EpsonNet 2010-04-16 03:21:33 0 d-----w- c:\program files\common files\EPSON 2010-04-16 03:19:48 0 d-----w- c:\program files\Epson Software 2010-04-16 03:19:26 93696 ----a-w- c:\windows\system32\E_FLBFIA.DLL 2010-04-16 03:19:26 79360 ----a-w- c:\windows\system32\E_FD4BFIA.DLL 2010-04-16 03:19:11 0 d-----w- c:\docume~1\alluse~1\applic~1\EPSON 2010-04-16 03:18:53 342016 ----a-w- c:\windows\system32\eswiaud.dll 2010-04-16 03:18:53 15872 ----a-w- c:\windows\system32\escdev.dll 2010-04-16 03:18:53 128392 ----a-w- c:\windows\system32\esdevapp.exe 2010-04-16 03:18:48 0 d-----w- c:\program files\epson 2010-04-16 03:16:41 79 ----a-w- c:\windows\EPNX510.ini 2010-04-16 02:56:11 0 d-----w- c:\docume~1\chrisa~1\applic~1\ZoomBrowser EX 2010-04-16 02:46:29 77824 ----a-w- c:\windows\system32\wd_utils.dll 2010-04-16 02:30:03 0 d---a-w- c:\program files\Polar 2010-04-15 05:51:00 0 d-----w- c:\docume~1\chrisa~1\applic~1\Malwarebytes 2010-04-15 05:50:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-15 05:50:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-04-15 05:50:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-15 05:50:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 05:06:43 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat 2010-04-14 02:59:18 0 d-----w- c:\docume~1\chrisa~1\applic~1\FastStone 2010-04-14 02:58:34 0 d-----w- c:\program files\FastStone Photo Resizer 2010-04-14 02:54:40 0 d-----w- c:\windows\system32\XPSViewer 2010-04-14 02:53:58 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-04-14 02:53:58 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-04-14 02:53:58 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-04-14 02:53:58 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-04-14 02:53:58 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-04-14 02:53:58 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2010-04-14 02:53:58 117760 ------w- c:\windows\system32\prntvpt.dll 2010-04-14 02:50:33 0 d-sh--w- c:\documents and settings\chris and mary\IECompatCache 2010-04-13 05:46:23 0 d-----w- c:\program files\iPod 2010-04-13 05:46:18 0 d-----w- c:\program files\iTunes 2010-04-13 05:34:39 0 d-----w- c:\windows\system32\appmgmt 2010-04-13 05:16:09 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-04-13 05:16:09 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2010-04-13 05:15:23 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-04-13 05:14:13 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-04-13 05:14:13 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-04-13 05:13:52 0 d-----w- c:\program files\Bonjour 2010-04-13 04:16:36 0 d-----w- c:\program files\Microsoft Money 2010-04-13 04:03:58 0 d-----w- c:\docume~1\chrisa~1\applic~1\Intuit Canada 2010-04-13 04:03:43 0 d-----w- c:\program files\common files\AnswerWorks 4.0 2010-04-13 04:03:40 0 d-----w- c:\program files\common files\Intuit 2010-04-13 04:03:31 0 d-----w- c:\program files\QuickTax 2009 2010-04-13 04:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit Canada 2010-04-12 15:09:42 5632 ----a-w- c:\windows\system32\ptpusb.dll 2010-04-12 15:09:42 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2010-04-12 15:09:42 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys 2010-04-12 15:09:41 159232 ----a-w- c:\windows\system32\ptpusd.dll 2010-04-12 15:04:45 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser 2010-04-12 15:03:28 0 d-----w- c:\program files\Canon 2010-04-12 14:59:15 0 d-----w- c:\program files\common files\Canon 2010-04-12 14:54:30 0 d-----w- c:\windows\Cache 2010-04-12 06:34:53 0 d-----w- c:\windows\system32\scripting 2010-04-12 06:34:52 0 d-----w- c:\windows\l2schemas 2010-04-12 06:34:51 0 d-----w- c:\windows\system32\en 2010-04-12 06:34:51 0 d-----w- c:\windows\system32\bits 2010-04-12 06:30:11 0 d-----w- c:\windows\network diagnostic 2010-04-12 06:08:50 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cada069f2be656.mof 2010-04-12 06:00:33 0 d-sh--w- c:\documents and settings\chris and mary\PrivacIE 2010-04-12 05:52:02 376 ----a-w- c:\windows\ODBC.INI 2010-04-12 05:51:57 24816 ----a-w- c:\windows\system32\mdimon.dll 2010-04-12 05:50:49 0 d-----w- c:\program files\common files\L&H 2010-04-12 05:50:35 0 d-----w- c:\program files\Microsoft ActiveSync 2010-04-12 05:49:30 0 d-----w- c:\windows\SHELLNEW 2010-04-12 05:46:30 0 d-----w- c:\windows\system32\LogFiles 2010-04-12 05:46:06 0 d-sh--w- c:\documents and settings\chris and mary\IETldCache 2010-04-12 05:37:51 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-04-12 05:37:50 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll 2010-04-12 05:37:50 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-04-12 05:37:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-04-12 05:37:50 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll 2010-04-12 05:37:50 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-04-12 05:37:45 0 d-----w- c:\windows\ie8updates 2010-04-12 05:37:41 64000 ------w- c:\windows\system32\dllcache\iecompat.dll 2010-04-12 05:36:28 0 dc-h--w- c:\windows\ie8 2010-04-12 05:25:21 0 d-----w- c:\windows\ServicePackFiles 2010-04-12 05:24:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2010-04-12 05:24:31 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2010-04-12 05:24:06 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll 2010-04-12 05:24:02 0 d-----w- c:\program files\MSXML 4.0 2010-04-12 05:16:04 64352 ------w- c:\windows\system32\drivers\ativmc20.cod 2010-04-12 04:52:05 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-04-12 04:51:45 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-04-12 04:50:35 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll 2010-04-12 04:50:33 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2010-04-12 04:47:52 2560 ------w- c:\windows\system32\xpsp4res.dll 2010-04-12 04:47:52 215552 ------w- c:\windows\system32\dllcache\wordpad.exe 2010-04-12 04:47:52 1206508 ------w- c:\windows\system32\dllcache\sysmain.sdb 2010-04-12 04:47:17 272128 ------w- c:\windows\system32\drivers\bthport.sys 2010-04-12 04:47:17 272128 ------w- c:\windows\system32\dllcache\bthport.sys 2010-04-12 04:47:01 353792 ------w- c:\windows\system32\dllcache\srv.sys 2010-04-12 04:46:40 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2010-04-12 04:45:36 81920 ------w- c:\windows\system32\dllcache\fontsub.dll 2010-04-12 04:45:36 119808 ------w- c:\windows\system32\dllcache\t2embed.dll 2010-04-12 04:45:27 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2010-04-12 04:42:37 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx 2010-04-12 04:40:05 203136 ------w- c:\windows\system32\dllcache\rmcast.sys 2010-04-12 04:39:59 331776 ------w- c:\windows\system32\dllcache\msadce.dll 2010-04-12 04:39:36 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll 2010-04-12 04:36:37 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll 2010-04-12 04:36:18 337408 ------w- c:\windows\system32\dllcache\netapi32.dll 2010-04-12 04:30:21 0 d-----w- c:\windows\system32\PreInstall 2010-04-12 04:30:20 26144 ----a-w- c:\windows\system32\spupdsvc.exe 2010-04-12 03:58:59 0 d-----w- c:\program files\CCleaner 2010-04-12 03:56:53 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-04-12 03:56:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2010-04-12 03:55:29 7280 ----a-r- c:\windows\system32\ZSHP1018.HLP 2010-04-12 03:55:28 86016 ----a-r- c:\windows\system32\ZSPOOL.DLL 2010-04-12 03:55:28 462848 ----a-r- c:\windows\system32\ZSHP1018.EXE 2010-04-12 03:55:28 28672 ----a-r- c:\windows\system32\ZLM.DLL 2010-04-12 03:55:28 28672 ----a-r- c:\windows\system32\IMF32.DLL 2010-04-12 03:55:28 24576 ----a-r- c:\windows\system32\ZTAG32.DLL 2010-04-12 03:55:28 129092 ----a-r- c:\windows\system32\hp1018.img 2010-04-12 03:55:28 106496 ----a-r- c:\windows\system32\VSHP1018.DLL 2010-04-12 03:55:28 102400 ----a-r- c:\windows\system32\ZLhp1018.DLL 2010-04-12 03:52:01 0 d-----w- c:\docume~1\chrisa~1\applic~1\Symantec 2010-04-12 03:52:01 0 d-----w- c:\docume~1\chrisa~1\applic~1\IBM 2010-04-12 03:50:59 0 d-----w- c:\windows\system32\SoftwareDistribution 2010-04-12 03:50:44 0 d-----w- C:\RRUbackups 2010-04-12 03:49:20 2409 ----a-w- c:\windows\system32\$winnt$.inf 2010-04-12 03:49:13 8192 ----a-w- c:\windows\REGLOCS.OLD 2010-04-12 03:42:48 0 ---ha-w- C:\BOOTLOG.PRV 2010-04-12 03:42:07 0 d-----w- C:\Books 2010-04-12 03:41:05 0 d-----w- C:\IBMSHARE 2010-04-12 03:40:58 308 ----a-w- C:\ccrrec.ver 2010-04-12 03:40:54 54076 ----a-w- c:\windows\system32\drivers\psasrv.exe 2010-04-12 03:40:54 13184 ----a-w- c:\windows\system32\drivers\psadd.sys 2010-04-12 03:38:21 0 d-----w- c:\program files\Norton AntiVirus 2010-04-12 03:37:56 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-04-12 03:37:56 103952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-04-12 03:37:48 0 d-----w- c:\program files\Symantec 2010-04-12 03:37:48 0 d-----w- c:\program files\common files\Symantec Shared 2010-04-12 03:37:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec 2010-04-12 03:37:29 12416 ----a-w- c:\windows\system32\drivers\PcdrNdisuio.sys 2010-04-12 03:37:17 0 d-----w- c:\program files\PC-Doctor for Windows 2010-04-12 03:36:12 61440 ----a-w- c:\windows\system32\IBMJavaPlugin142.cpl 2010-04-12 03:35:54 0 d-----w- c:\program files\common files\Sonic 2010-04-12 03:35:26 0 d-----w- c:\program files\common files\SureThing Shared 2010-04-12 03:35:25 0 d-----w- c:\program files\Sonic 2010-04-12 03:35:25 0 d-----w- c:\program files\IBM RecordNow! 2010-04-12 03:35:23 0 d-----w- c:\program files\IBM DLA 2010-04-12 03:35:00 0 d-----w- c:\docume~1\alluse~1\applic~1\ibm 2010-04-12 03:34:26 0 d-----w- C:\icons 2010-04-12 03:33:46 0 d-----w- c:\program files\IBM 2010-04-12 03:32:43 656 ----a-w- c:\windows\system32\InstallUtil.InstallLog 2010-04-12 03:32:39 0 d-----w- c:\program files\Windows Media Connect 2010-04-12 03:32:28 163840 ----a-w- c:\windows\system32\igfxres.dll 2010-04-12 03:30:14 333 ----a-w- c:\windows\system32\$ncsp$.inf 2010-04-12 03:29:43 235100 ----a-w- c:\windows\system32\drivers\MidiSyn.sys 2010-04-12 03:29:32 30208 ----a-w- c:\windows\system32\wdmioctl.dll 2010-04-12 03:29:32 1285632 ----a-w- c:\windows\system32\SMMedia.dll 2010-04-12 03:29:31 991232 ----a-w- c:\windows\system32\virtear.dll 2010-04-12 03:29:31 765952 ----a-w- c:\windows\system\crlds3d.dll 2010-04-12 03:29:31 69632 ----a-w- c:\windows\system32\DSndUp.exe 2010-04-12 03:29:31 65536 ----a-w- c:\windows\system32\CleanUp.exe 2010-04-12 03:29:31 65536 ----a-w- c:\windows\system32\Audio3d.dll 2010-04-12 03:29:31 0 d-----w- c:\windows\VirtualEar 2010-04-12 03:29:31 0 d-----w- c:\program files\Analog Devices 2010-04-12 03:28:42 693 ----a-w- C:\SYSLEVEL.IBM 2010-04-12 03:27:50 0 d-----w- c:\windows\system32\URTTemp 2010-04-12 03:27:38 0 d--h--w- c:\windows\$hf_mig$ 2010-04-12 03:27:08 0 d-----w- c:\windows\RegisteredPackages 2010-04-12 03:25:45 0 d-----w- c:\windows\system32\ReinstallBackups 2010-04-12 03:24:39 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-04-12 03:24:37 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2010-04-12 03:24:36 21504 ----a-w- c:\windows\system32\hidserv.dll 2010-04-12 03:24:22 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2010-04-12 03:24:17 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys 2010-04-12 03:24:15 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2010-04-12 03:24:11 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2010-04-12 03:23:47 7168 ----a-w- c:\windows\system32\hccoin.dll 2010-04-12 03:23:47 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys 2010-04-12 03:22:40 2481 ----a-w- c:\windows\system32\OEMINFO.INI 2010-04-12 03:22:30 0 d-----w- C:\DRIVERS 2010-04-12 03:19:01 0 d-----w- C:\ibmtools ==================== Find3M ==================== 2010-04-21 00:08:00 2594 ---h--w- c:\windows\fonts\mlog 2010-04-12 03:52:09 47 ----a-w- c:\windows\system32\drivers\IBM_8131_35U.MRK 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-25 06:24:37 916480 ------w- c:\windows\system32\dllcache\wininet.dll 2010-02-25 06:24:37 611840 ------w- c:\windows\system32\dllcache\mstime.dll 2010-02-25 06:24:37 206848 ------w- c:\windows\system32\dllcache\occache.dll 2010-02-25 06:24:37 1209344 ------w- c:\windows\system32\dllcache\urlmon.dll 2010-02-25 06:24:36 5944832 ------w- c:\windows\system32\dllcache\mshtml.dll 2010-02-25 06:24:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll 2010-02-25 06:24:35 184320 ------w- c:\windows\system32\dllcache\iepeers.dll 2010-02-25 06:24:34 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll 2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll 2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys ============= FINISH: 20:10:09.62 =============== DDS (Ver_10-03-17.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 4/11/2010 11:51:44 PM System Uptime: 4/20/2010 8:00:07 PM (0 hours ago) Motherboard: IBM | | IBM Processor: Intel® Pentium® 4 CPU 3.00GHz | LGA775/PSC/TJS | 2992/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 71 GiB total, 58.134 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 1397 GiB total, 1351.694 GiB free. G: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318} Description: PS/2 Compatible Mouse Device ID: ACPI\PNP0F13\0 Manufacturer: Microsoft Name: PS/2 Compatible Mouse PNP Device ID: ACPI\PNP0F13\0 Service: i8042prt ==== System Restore Points =================== RP1: 4/11/2010 11:51:48 PM - System Checkpoint RP2: 4/12/2010 12:30:14 AM - Software Distribution Service 3.0 RP3: 4/12/2010 1:22:52 AM - Installed Microsoft Office Professional Edition 2003 RP4: 4/12/2010 1:23:09 AM - Software Distribution Service 3.0 RP5: 4/12/2010 1:48:31 AM - Installed Microsoft Office Professional Edition 2003 RP6: 4/12/2010 2:08:13 AM - Printer Driver Microsoft Office Document Image Writer Installed RP7: 4/12/2010 2:22:25 AM - Software Distribution Service 3.0 RP8: 4/12/2010 10:55:54 AM - Installed Adobe Reader 6.0 RP9: 4/13/2010 12:03:26 AM - Installed QuickTax 2009. RP10: 4/13/2010 12:16:08 AM - Installed Microsoft Money 2003 System Pack RP11: 4/13/2010 12:16:28 AM - Installed Microsoft Money 2003 RP12: 4/13/2010 1:45:38 AM - Installed iTunes RP13: 4/13/2010 1:46:12 AM - Installed iTunes RP14: 4/13/2010 2:06:56 AM - Software Distribution Service 3.0 RP15: 4/13/2010 10:46:57 PM - Software Distribution Service 3.0 RP16: 4/13/2010 11:21:19 PM - Software Distribution Service 3.0 RP17: 4/15/2010 2:22:27 AM - Software Distribution Service 3.0 RP18: 4/15/2010 10:32:58 PM - Unsigned driver install RP19: 4/15/2010 11:19:57 PM - Installed Epson Event Manager RP20: 4/15/2010 11:20:34 PM - Installed EPSON Scan Assistant RP21: 4/15/2010 11:21:14 PM - Installed Attach To Email RP22: 4/15/2010 11:21:50 PM - Installed EpsonNet Print RP23: 4/15/2010 11:22:11 PM - Installed EpsonNet Setup RP24: 4/17/2010 11:30:13 AM - Software Distribution Service 3.0 RP25: 4/19/2010 9:22:57 PM - System Checkpoint ==== Installed Programs ====================== Access IBM Access IBM Message Center Adobe Flash Player 10 ActiveX Adobe Reader 6.0 Apple Application Support Apple Mobile Device Support Apple Software Update Bonjour Canon Camera Access Library Canon Camera Support Core Library Canon MOV Decoder Canon MOV Encoder Canon MovieEdit Task for ZoomBrowser EX Canon Utilities CameraWindow Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX Canon Utilities Digital Photo Professional 3.6 Canon Utilities EOS Utility Canon Utilities MyCamera Canon Utilities Original Data Security Tools Canon Utilities PhotoStitch Canon Utilities Picture Style Editor Canon Utilities RemoteCapture Task for ZoomBrowser EX Canon Utilities WFT-E1/E2/E3/E4 Utility Canon Utilities ZoomBrowser EX Canon ZoomBrowser EX Memory Card Utility ccCommon CCleaner Epson Event Manager EPSON NX510 Series Printer Uninstall EPSON Scan EpsonNet Print EpsonNet Setup FastStone Photo Resizer 2.9 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB979306) IBM 32-bit Runtime Environment for Java 2, v1.4.2 IBM DLA IBM RecordNow! IBM Rescue and Recovery with Rapid Restore IBM Themes IBM Update Connector Intel® Graphics Media Accelerator Driver Internet Worm Protection iTunes LiveReg (Symantec Corporation) LiveUpdate 2.5 (Symantec Corporation) Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft Money 2003 Microsoft Money 2003 System Pack Microsoft Office Professional Edition 2003 Mouse Suite MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Norton AntiVirus 2005 Norton AntiVirus 2005 (Symantec Corporation) Norton AntiVirus Help Norton AntiVirus Parent MSI Norton WMI Update PC-Doctor for Windows QuickTax 2009 QuickTime Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165-v2) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB980232) Sonic Update Manager SoundMAX SPBBC Spybot - Search & Destroy Symantec Symantec Script Blocking Installer SymNet Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Internet Explorer 8 (KB980302) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update for Windows XP (KB980182) Wallpapers WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Internet Explorer 8 Windows Media Connect Windows Media Format Runtime Windows Media Player 10 Windows XP Service Pack 3 ==== Event Viewer Messages From Past Week ======== 4/19/2010 9:04:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. 4/19/2010 9:01:53 PM, error: Service Control Manager [7034] - The peresvc Service service terminated unexpectedly. It has done this 1 time(s). 4/19/2010 8:39:53 PM, error: Service Control Manager [7023] - The BtwSvc service terminated with the following error: The specified module could not be found. 4/19/2010 8:38:14 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory. 4/19/2010 8:38:14 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver. 4/19/2010 8:34:02 PM, error: Service Control Manager [7000] - The peresvc Service service failed to start due to the following error: The system cannot find the path specified. 4/15/2010 10:56:05 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. . 4/15/2010 10:56:05 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Canon\ZoomBrowser EX\Program\MFC80U.DLL. Reference error message: The operation completed successfully. . 4/15/2010 10:56:04 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system. ==== End Of File ===========================

This virus keeps coming back. I believe it was transferred via a USB memry stick, but I've fixed that problem. I can usuually tell if it's back because there's a rundull32 entry in the startup listing. The logfile is shown below: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4008 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/19/2010 8:52:53 PM mbam-log-2010-04-19 (20-52-53).txt Scan type: Quick scan Objects scanned: 114537 Time elapsed: 7 minute(s), 22 second(s) Memory Processes Infected: 2 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 16 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: C:\WINDOWS\system32\w.exe (Trojan.Sopiclick) -> Unloaded process successfully. C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\w.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc5.bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc6.bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc7.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\opear.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully. C:\WINDOWS\system32\4818644.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6M80MB9M\w[1].bin (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

This virus keeps coming back. I believe it was transferred via a USB memry stick, but I've fixed that problem. I can usuually tell if it's back because there's a rundull32 entry in the startup listing. The logfile is shown below: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4008 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/19/2010 8:52:53 PM mbam-log-2010-04-19 (20-52-53).txt Scan type: Quick scan Objects scanned: 114537 Time elapsed: 7 minute(s), 22 second(s) Memory Processes Infected: 2 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 16 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: C:\WINDOWS\system32\w.exe (Trojan.Sopiclick) -> Unloaded process successfully. C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\w.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc5.bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc6.bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-824080227-2606140345-2805738407-1005\Dc7.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\opear.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully. C:\WINDOWS\system32\4818644.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6M80MB9M\w[1].bin (Trojan.Sopiclick) -> Quarantined and deleted successfully. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.