Help!! Serious malware attack (Cannot run except in safe mode)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-04 18:21:59
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uftdapob.sys
GMER Log:

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Now what??

--Scott

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

The log follows. However, I have been unable to figure out how to disable Norton AV 2006 while running in sage mode (it won't uninstall in the normal fashion). I don't see any obvious process running that appears to relate to it, so I am a bit stuck.

Heres the log:
ComboFix 10-02-04.05 - Administrator 02/04/2010 20:18:51.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1792 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000005_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-04 20:57 . 2010-02-04 20:57 -------- d-----w- C:\_OTL
2010-02-04 14:28 . 2010-02-04 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-04 00:19 . 2010-02-04 00:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-03 20:53 . 2010-02-03 20:53 -------- d-s---w- c:\documents and settings\Administrator\UserData
2010-02-03 03:16 . 2010-02-03 03:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2010-02-03 03:16 . 2010-02-03 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2010-02-02 18:41 . 2010-02-02 18:41 -------- d-----w- c:\documents and settings\James Bond\Local Settings\Application Data\Threat Expert
2010-02-02 17:46 . 2007-10-23 15:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-02-02 16:22 . 2008-05-02 16:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-02-02 05:41 . 2010-02-02 05:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-02 05:33 . 2010-02-02 05:33 -------- d-----w- c:\program files\ERUNT
2010-02-02 04:38 . 2010-02-02 04:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-02-02 04:38 . 2010-02-02 04:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-02 03:46 . 2009-11-10 16:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-02 03:46 . 2009-11-10 16:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-02 03:46 . 2009-11-10 16:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-02 03:46 . 2009-11-10 16:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-02-02 03:46 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-02 03:46 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip
2010-02-02 03:46 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-02 03:45 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-02 03:45 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-02 03:45 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-02 03:45 . 2010-02-02 05:04 -------- d-----w- c:\program files\Spyware Doctor
2010-02-02 03:45 . 2010-02-02 03:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-02 03:45 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-02 03:45 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-02-02 03:45 . 2010-02-04 19:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-02 03:40 . 2010-02-02 03:40 -------- d-----w- c:\documents and settings\James Bond\Application Data\Malwarebytes
2010-02-02 02:50 . 2010-02-02 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-02 02:50 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 02:50 . 2010-02-02 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 02:50 . 2010-02-02 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 02:50 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 02:49 . 2010-02-02 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-02 02:38 . 2004-08-04 10:00 9728 -c--a-w- c:\windows\system32\dllcache\rwnh.dll
2010-02-02 02:37 . 2004-08-04 10:00 92160 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2010-02-02 02:34 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-02-02 02:24 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-02-02 02:24 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-02-02 02:24 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-02-02 02:24 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-02-02 00:13 . 2010-02-04 20:57 -------- d-----w- c:\documents and settings\James Bond\Local Settings\Application Data\ygjdbr
2010-02-01 20:15 . 2010-02-01 20:15 -------- d-----w- c:\windows\dell
2010-01-16 23:07 . 2010-01-16 23:07 -------- d-----w- c:\documents and settings\James Bond\Application Data\ZoomBrowser EX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 16:13 . 2008-06-18 14:34 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-04 16:12 . 2007-06-25 15:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-02 18:38 . 2007-06-25 16:07 -------- d-----w- c:\program files\Symantec
2010-02-02 18:38 . 2007-06-26 00:53 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-02 18:38 . 2007-06-26 00:53 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-02 18:38 . 2007-06-25 16:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-02 18:38 . 2007-06-25 16:07 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-02 18:25 . 2007-08-29 19:40 -------- d-----w- c:\program files\eMusic Download Manager
2010-02-02 18:19 . 2007-07-12 21:21 -------- d-----w- c:\program files\GIMP-2.0
2010-02-02 18:16 . 2007-06-01 17:19 -------- d-----w- c:\program files\ClamWin
2010-02-02 05:10 . 2007-01-03 19:53 97280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 02:33 . 2004-08-11 22:12 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-31 15:58 . 2009-05-17 12:52 3766 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-31 15:58 . 2009-05-17 12:52 3766 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-29 15:37 . 2009-07-17 16:35 1 ----a-w- c:\documents and settings\James Bond\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-29 08:23 . 2007-06-25 16:08 -------- d-----w- c:\program files\Norton Internet Security
2010-01-21 16:11 . 2008-01-03 15:48 -------- d-----w- c:\documents and settings\James Bond\Application Data\U3
2010-01-13 04:41 . 2009-07-02 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-11 20:30 . 2009-05-17 12:52 88 --sh--r- c:\documents and settings\All Users\Application Data\DB46FF29C7.sys
2010-01-11 20:30 . 2009-05-17 12:52 88 --sh--r- c:\documents and settings\All Users\Application Data\DB46FF29C7.sys
2009-12-27 18:16 . 2009-12-27 18:16 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-12-27 18:16 . 2009-12-27 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-12-27 18:07 . 2009-12-27 18:07 -------- d-----w- c:\documents and settings\James Bond\Application Data\ParetoLogic
2009-12-27 18:07 . 2009-12-27 18:07 -------- d-----w- c:\program files\ParetoLogic
2009-12-24 14:45 . 2008-02-19 20:13 -------- d-----w- c:\program files\RegCure
2006-09-18 00:14 . 2006-09-18 00:14 77824 ----a-w- c:\program files\lens Rev3.exe
2008-12-21 01:42 . 2007-05-29 19:37 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 01:42 . 2007-05-29 19:37 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 01:42 . 2007-05-29 19:37 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 01:42 . 2007-05-29 19:37 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 01:42 . 2007-05-29 19:37 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-06-03 15:50 . 2009-06-03 15:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-06-03 15:50 . 2009-06-03 15:50 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-06-03 15:50 . 2009-06-03 15:50 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-03 15:50 . 2009-06-03 15:50 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-06-23 53248]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-03 169984]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\James Bond\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-3 24576]
SonicWALL Global VPN Client.lnk - c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe [2008-9-25 1160464]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VectorWorks 12.5.1\\VectorWorks.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/25/2008 2:40 PM 101528]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/25/2008 2:39 PM 24876]
S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 4:25 PM 65536]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/1/2010 3:48 PM 102448]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42]

2010-01-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - James Bond.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-02-05 17:13]

2010-02-01 c:\windows\Tasks\ParetoLogic Privacy Controls_{F6327A48-F313-11DE-87B7-006073E6610A}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2009-12-02 00:46]

2010-02-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]

2010-01-29 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]

2010-02-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-02-04 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-31 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070103
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u8pox49l.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ClamWin - c:\program files\ClamWin\bin\ClamTray.exe
AddRemove-VLC media player - c:\program files\VideoLAN\VLC\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 20:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2010-02-04 20:22:06
ComboFix-quarantined-files.txt 2010-02-05 02:22

Pre-Run: 22,542,876,672 bytes free
Post-Run: 22,605,959,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C70EBD49DFC18B564367289DEF457D9D

Hello:

Actually, I just managed to get rid of the Norton Anti-Virus. Here is a new ComboFix log.

Also, I believe that something is corrupted in the root of the HD, as chkdsk indicated a dirty drive.

Thanks.

ComboFix 10-02-04.06 - Administrator 02/04/2010 20:42:29.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1798 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-04 20:57 . 2010-02-04 20:57 -------- d-----w- C:\_OTL
2010-02-04 14:28 . 2010-02-04 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-04 00:19 . 2010-02-04 00:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-03 20:53 . 2010-02-03 20:53 -------- d-s---w- c:\documents and settings\Administrator\UserData
2010-02-03 03:16 . 2010-02-03 03:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2010-02-03 03:16 . 2010-02-03 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2010-02-02 18:41 . 2010-02-02 18:41 -------- d-----w- c:\documents and settings\James Bond\Local Settings\Application Data\Threat Expert
2010-02-02 17:46 . 2007-10-23 15:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-02-02 16:22 . 2008-05-02 16:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-02-02 05:41 . 2010-02-02 05:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-02 05:33 . 2010-02-02 05:33 -------- d-----w- c:\program files\ERUNT
2010-02-02 04:38 . 2010-02-02 04:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-02-02 04:38 . 2010-02-02 04:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-02 03:46 . 2009-11-10 16:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-02 03:46 . 2009-11-10 16:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-02 03:46 . 2009-11-10 16:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-02 03:46 . 2009-11-10 16:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-02-02 03:46 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-02 03:46 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip
2010-02-02 03:46 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-02 03:45 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-02 03:45 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-02 03:45 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-02 03:45 . 2010-02-02 05:04 -------- d-----w- c:\program files\Spyware Doctor
2010-02-02 03:45 . 2010-02-02 03:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-02 03:45 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-02 03:45 . 2010-02-02 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-02-02 03:45 . 2010-02-04 19:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-02 03:40 . 2010-02-02 03:40 -------- d-----w- c:\documents and settings\James Bond\Application Data\Malwarebytes
2010-02-02 02:50 . 2010-02-02 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-02 02:50 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 02:50 . 2010-02-02 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 02:50 . 2010-02-02 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 02:50 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 02:49 . 2010-02-02 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-02 02:38 . 2004-08-04 10:00 9728 -c--a-w- c:\windows\system32\dllcache\rwnh.dll
2010-02-02 02:37 . 2004-08-04 10:00 92160 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2010-02-02 02:34 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-02-02 02:24 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-02-02 02:24 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-02-02 02:24 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-02-02 02:24 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-02-02 00:13 . 2010-02-04 20:57 -------- d-----w- c:\documents and settings\James Bond\Local Settings\Application Data\ygjdbr
2010-02-01 20:15 . 2010-02-01 20:15 -------- d-----w- c:\windows\dell
2010-01-16 23:07 . 2010-01-16 23:07 -------- d-----w- c:\documents and settings\James Bond\Application Data\ZoomBrowser EX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 02:32 . 2007-06-25 15:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-05 02:32 . 2007-06-25 16:07 -------- d-----w- c:\program files\Symantec
2010-02-04 16:13 . 2008-06-18 14:34 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-02 18:25 . 2007-08-29 19:40 -------- d-----w- c:\program files\eMusic Download Manager
2010-02-02 18:19 . 2007-07-12 21:21 -------- d-----w- c:\program files\GIMP-2.0
2010-02-02 18:16 . 2007-06-01 17:19 -------- d-----w- c:\program files\ClamWin
2010-02-02 05:10 . 2007-01-03 19:53 97280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 02:33 . 2004-08-11 22:12 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-31 15:58 . 2009-05-17 12:52 3766 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-31 15:58 . 2009-05-17 12:52 3766 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-29 15:37 . 2009-07-17 16:35 1 ----a-w- c:\documents and settings\James Bond\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-21 16:11 . 2008-01-03 15:48 -------- d-----w- c:\documents and settings\James Bond\Application Data\U3
2010-01-13 04:41 . 2009-07-02 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-11 20:30 . 2009-05-17 12:52 88 --sh--r- c:\documents and settings\All Users\Application Data\DB46FF29C7.sys
2010-01-11 20:30 . 2009-05-17 12:52 88 --sh--r- c:\documents and settings\All Users\Application Data\DB46FF29C7.sys
2009-12-27 18:16 . 2009-12-27 18:16 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-12-27 18:16 . 2009-12-27 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-12-27 18:07 . 2009-12-27 18:07 -------- d-----w- c:\documents and settings\James Bond\Application Data\ParetoLogic
2009-12-27 18:07 . 2009-12-27 18:07 -------- d-----w- c:\program files\ParetoLogic
2009-12-24 14:45 . 2008-02-19 20:13 -------- d-----w- c:\program files\RegCure
2006-09-18 00:14 . 2006-09-18 00:14 77824 ----a-w- c:\program files\lens Rev3.exe
2008-12-21 01:42 . 2007-05-29 19:37 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 01:42 . 2007-05-29 19:37 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 01:42 . 2007-05-29 19:37 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 01:42 . 2007-05-29 19:37 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 01:42 . 2007-05-29 19:37 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-06-03 15:50 . 2009-06-03 15:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-06-03 15:50 . 2009-06-03 15:50 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-06-03 15:50 . 2009-06-03 15:50 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-03 15:50 . 2009-06-03 15:50 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SYMNRT"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2004-08-04 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-06-23 53248]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-03 169984]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\James Bond\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-3 24576]
SonicWALL Global VPN Client.lnk - c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe [2008-9-25 1160464]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VectorWorks 12.5.1\\VectorWorks.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/25/2008 2:40 PM 101528]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/25/2008 2:39 PM 24876]
S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 4:25 PM 65536]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42]

2010-02-01 c:\windows\Tasks\ParetoLogic Privacy Controls_{F6327A48-F313-11DE-87B7-006073E6610A}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2009-12-02 00:46]

2010-02-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]

2010-01-29 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]

2010-02-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-02-05 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-31 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070103
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u8pox49l.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2010-02-04 20:46:48
ComboFix-quarantined-files.txt 2010-02-05 02:46
ComboFix2.txt 2010-02-05 02:22

Pre-Run: 24,369,729,536 bytes free
Post-Run: 24,354,553,856 bytes free

- - End Of File - - 1A1396B27A81EB6DD56F87247F657E81

Did chkdsk find a bad sector on the HD?

I don't recall it reporting a bad sector, it just said the drive was dirty.

I will try and run another test on Monday.

Thanks much.