Sinowal.Trojan removal help

I'm not quite sure why that's happening, must be something buried somewhere.

• Download combofix from here, use the top links - combofix.exe
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

After combofix runs for awhile and reboot I get the following error message:

"Cannot export RegRuns00: Error opening the file. There may be a disk or file system error."

The ComboFix error reads as follows:

"Preparing Log Report.
Do not run any programs until ComboFix has finished
Access is denied."

I mistyped - Should have been "The ComboFix WINDOW" not "The ComboFix error"

See if there is a report here:
C:\combofix\combofix.txt

Norton Script blocking may have denied it.

Here's the ComboFix.txt file:
----------------


ComboFix 08-12-04.04 - Kevin 2008-12-04 20:30:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1581 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\documents\setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 20:01 . 2008-12-04 20:02 d-------- C:\rsit
2008-12-04 19:11 . 2008-12-04 19:11 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-04 19:11 . 2008-12-04 19:11 d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-12-04 19:11 . 2008-12-04 19:11 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-04 19:11 . 2008-12-03 19:52 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-12-04 19:11 . 2008-12-03 19:52 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-12-04 18:57 . 2008-12-04 18:57 d-------- C:\Program Files\Trend Micro
2008-12-04 17:47 . 2008-12-04 17:47 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-12-04 17:46 . 2008-12-04 17:46 d-------- C:\Program Files\Symantec
2008-12-04 17:46 . 2008-12-04 17:48 d-------- C:\Program Files\Common Files\Symantec Shared
2008-12-04 17:46 . 2008-12-04 17:46 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-12-04 17:46 . 2008-12-04 17:46 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-12-04 17:46 . 2008-12-04 17:46 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-12-04 17:46 . 2008-12-04 17:46 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-12-04 17:45 . 2008-12-04 17:45 d-------- C:\WINDOWS\system32\drivers\NAV
2008-12-04 17:45 . 2008-12-04 17:45 d-------- C:\Program Files\Windows Sidebar
2008-12-04 17:45 . 2008-12-04 17:45 d-------- C:\Program Files\NortonInstaller
2008-12-04 17:45 . 2008-12-04 17:45 d-------- C:\Program Files\Norton AntiVirus
2008-12-04 17:45 . 2008-12-04 17:45 d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-12-04 17:45 . 2008-12-04 17:45 d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-12-04 17:35 . 2008-12-04 17:35 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-11-25 22:17 . 2008-11-25 22:17 d-------- C:\Program Files\PeaZip
2008-11-25 22:17 . 2008-11-25 22:17 d-------- C:\Documents and Settings\Kevin\Application Data\PeaZip
2008-11-24 22:04 . 2008-11-25 22:18 d-------- C:\Program Files\Audacity
2008-11-22 16:18 . 2008-11-22 16:18 d-------- C:\Program Files\iTunes
2008-11-22 16:18 . 2008-11-22 16:18 d-------- C:\Program Files\iPod
2008-11-22 16:18 . 2008-11-22 16:18 d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 16:16 . 2008-11-22 16:17 d-------- C:\Program Files\QuickTime
2008-11-18 19:38 . 2008-11-18 19:38 d-------- C:\Program Files\7-Zip
2008-11-12 15:49 . 2008-09-04 12:15 1,106,944 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-11-12 15:49 . 2008-10-24 06:21 455,296 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-11-11 22:20 . 2008-11-11 22:20 d-------- C:\Documents and Settings\Kevin\Application Data\Sony Corporation
2008-11-05 21:28 . 2008-11-05 21:28 d-------- C:\Program Files\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 21:28 --------- d-----w C:\Program Files\Orb Networks
2008-12-04 01:02 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2008-11-26 03:43 --------- d-----w C:\Program Files\Burn4Free
2008-11-22 21:18 --------- d-----w C:\Program Files\Common Files\Apple
2008-11-06 02:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-10-18 14:55 --------- d-----w C:\Program Files\Opera
2008-10-14 20:02 --------- d-----w C:\Documents and Settings\Kevin\Application Data\GlarySoft
2008-10-14 19:50 --------- d-----w C:\Program Files\Glary Utilities
2008-10-05 02:09 --------- d-----w C:\Program Files\Firaxis Games
2008-10-05 02:08 --------- d-----w C:\Program Files\MagicDisc
2008-10-05 02:06 --------- d-----w C:\Program Files\MagicISO
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"vidxhp"="C:\Documents and Settings\Kevin\Application Data\Google\ggqjh22510678.exe" [2008-12-04 16:08 124416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 20:13 87584]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 14:15 1261475]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 23:43 7630848]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2005-12-21 09:14 73728]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 19:12 111936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-11-04 10:30 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-11-20 13:20 290088]
"nwiz"="nwiz.exe" [2006-08-11 23:43 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-05 21:28:38 385024]

Okay, we may have found the answer.
Disable Norton script blocking for this.

Now open a new notepad file.
Input this into the notepad file:

File::
C:\Documents and Settings\Kevin\Application Data\Google\ggqjh22510678.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vidxhp"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

How do I disable Norton script blocking for Norton AntiVirus 2009?

See here:
http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2001082912274906

Then run the CFScript.

That appears to be for an older version of AntiVirus as my version isn't like that. I've just turned off AutoProtect - shouldn't that do the job?

Actually yes it should.
Even if the report isn't made, it should still delete the file.
The report making is later on in the process.

Ok - it ran smoothly through the entire process this time. Here's the log.txt (PART I)
----------------------------------

ComboFix 08-12-04.04 - Kevin 2008-12-04 21:01:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1619 [GMT -5:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Kevin\Application Data\Google\ggqjh22510678.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin\Application Data\Google\ggqjh22510678.exe
.
---- Previous Run -------
.
c:\documents and settings\All Users\documents\setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 20:01 . 2008-12-04 20:02 d-------- C:\rsit
2008-12-04 19:11 . 2008-12-04 19:11 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 19:11 . 2008-12-04 19:11 d-------- c:\documents and settings\Kevin\Application Data\Malwarebytes
2008-12-04 19:11 . 2008-12-04 19:11 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 19:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 19:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 18:57 . 2008-12-04 18:57 d-------- c:\program files\Trend Micro
2008-12-04 17:47 . 2008-12-04 17:47 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 17:46 . 2008-12-04 17:46 d-------- c:\program files\Symantec
2008-12-04 17:46 . 2008-12-04 17:48 d-------- c:\program files\Common Files\Symantec Shared
2008-12-04 17:46 . 2008-12-04 17:46 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-04 17:46 . 2008-12-04 17:46 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-04 17:46 . 2008-12-04 17:46 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-04 17:46 . 2008-12-04 17:46 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-04 17:46 . 2008-12-04 17:46 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-04 17:45 . 2008-12-04 17:45 d-------- c:\windows\system32\drivers\NAV
2008-12-04 17:45 . 2008-12-04 17:45 d-------- c:\program files\Windows Sidebar
2008-12-04 17:45 . 2008-12-04 17:45 d-------- c:\program files\NortonInstaller
2008-12-04 17:45 . 2008-12-04 17:45 d-------- c:\program files\Norton AntiVirus
2008-12-04 17:45 . 2008-12-04 17:45 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-04 17:45 . 2008-12-04 17:45 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-04 17:35 . 2008-12-04 17:35 d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-25 22:17 . 2008-11-25 22:17 d-------- c:\program files\PeaZip
2008-11-25 22:17 . 2008-11-25 22:17 d-------- c:\documents and settings\Kevin\Application Data\PeaZip
2008-11-24 22:04 . 2008-11-25 22:18 d-------- c:\program files\Audacity
2008-11-22 16:18 . 2008-11-22 16:18 d-------- c:\program files\iTunes
2008-11-22 16:18 . 2008-11-22 16:18 d-------- c:\program files\iPod
2008-11-22 16:18 . 2008-11-22 16:18 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 16:16 . 2008-11-22 16:17 d-------- c:\program files\QuickTime
2008-11-18 19:38 . 2008-11-18 19:38 d-------- c:\program files\7-Zip
2008-11-12 15:49 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 15:49 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 22:20 . 2008-11-11 22:20 d-------- c:\documents and settings\Kevin\Application Data\Sony Corporation
2008-11-05 21:28 . 2008-11-05 21:28 d-------- c:\program files\Sony
2008-11-05 21:28 . 2006-11-02 16:57 118,520 --a------ c:\windows\system32\PxInsI64.exe
2008-11-05 21:28 . 2006-10-18 19:43 115,960 --a------ c:\windows\system32\PxCpyI64.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 21:28 --------- d-----w c:\program files\Orb Networks
2008-12-04 01:02 --------- d-----w c:\documents and settings\Kevin\Application Data\uTorrent
2008-11-26 03:43 --------- d-----w c:\program files\Burn4Free
2008-11-22 21:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-06 02:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 14:55 --------- d-----w c:\program files\Opera
2008-10-14 20:02 --------- d-----w c:\documents and settings\Kevin\Application Data\GlarySoft
2008-10-14 19:50 --------- d-----w c:\program files\Glary Utilities
2008-10-05 02:09 --------- d-----w c:\program files\Firaxis Games
2008-10-05 02:08 --------- d-----w c:\program files\MagicDisc
2008-10-05 02:06 --------- d-----w c:\program files\MagicISO
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_20.36.04.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-05 00:56:59 63,470 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-05 01:54:20 63,470 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-05 00:56:59 405,888 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-05 01:54:20 405,888 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-05 02:04:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_360.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 1261475]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2005-12-21 73728]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-05 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Kevin\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VortexTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2006-10-16 20:17 1941784 c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-08-25 11:52 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-08-11 23:43 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
--------- 2003-11-10 15:06 406016 c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
--a------ 2007-05-02 13:13 373760 c:\program files\TiVo\Desktop\TiVoNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
--a------ 2007-05-02 13:14 1463296 c:\program files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
--a------ 2007-05-02 13:12 1193472 c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2006-10-16 20:12 1164912 c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2006-01-23 14:42 196608 c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

PART II
-------------



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Kevin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-04 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-04 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-04 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-04 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 TivoBeacon2;TiVo Beacon;"c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [2007-05-02 865280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2007-05-10 747392]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\Cdr4vsd.sys [2008-08-28 72032]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-09-17 15:35]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Orb - c:\program files\Orb Networks\Orb\bin\OrbTray.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A26CC323-56B8-4F95-BCB4-7C3CE96C4967} = 68.87.73.242,68.87.71.226
FireFox -: Profile - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\i95qgolv.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.yahoo.com
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npwbe.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 21:04:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1148)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-04 21:06:56 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2008-12-05 02:06:53

Pre-Run: 210,411,073,536 bytes free
Post-Run: 210,399,924,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
;timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

243 --- E O F --- 2008-11-13 04:29:25

Good news - no blocking message from the Windows Firewall. Is it fixed?

I suspect so. The last piece of malware was hidden from RSIT, but combofix could see it, so that took it out.

I'm heading to bed now, so i'm gonna leave some stuff for you to do and read.
First-
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed, but I don't need to see it.
  

More in next post.

Hello.
We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Thanks so much for the help. I definitely appreciate it!

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.