I think my computer is infected with Bankerfox.A/Nuqel.E

This morning "Spyware protect 2009" kept popping up on my screen, a new icon on my desktop titled "details" appeared, and every time I tried to get rid of the Spyware protect it would pop up again with a warning for either bankerfox.a or nuqel.e saying that my computer was at risk. This isn't a program I installed so I went to task manager and disabled spyware protect. I scanned the details file with avg and it said it was infected so I deleted it. I restarted my computer and tried to start xp in safe mode. It kept stopping at \mup.sys. I didn't have time to take care of it earlier so I just shut off the computer. Could someone help me please?

Sure.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-03-16.01) - NTFSx86
Run by Brandie at 22:22:50.76 on Fri 04/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.74 [GMT -5:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Brandie.SIRSTEVE\Local Settings\Temporary Internet Files\Content.IE5\WHQZW1A3\dds[1].pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [SSC_UserPrompt] "c:\program files\common files\symantec shared\security center\UsrPrmpt.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [PININST] c:\system.sav\util\pininst.exe c:\system.sav\util\PININST.INI
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-3 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-3 55640]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20051127.005\NAVENG.Sys [2006-4-12 77816]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20051127.005\NavEx15.Sys [2006-4-12 750424]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]

=============== Created Last 30 ================

2009-04-03 21:03 a-dshr-- C:\cmdcons
2009-04-03 21:01 161,792 a------- c:\windows\SWREG.exe
2009-04-03 21:01 98,816 a------- c:\windows\sed.exe
2009-04-03 20:59 73,728 a------- C:\pv.exe
2009-04-03 18:46 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-03 18:46 --d----- c:\program files\Avira
2009-04-03 18:46 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-03 17:38 --d----- c:\windows\system32\SoftwareDistribution
2009-04-03 17:38 --ds---- c:\documents and settings\brandie.sirsteve\UserData
2009-04-03 13:35 --d----- c:\docume~1\brandi~1.sir\applic~1\Symantec
2009-04-03 13:32 --d----- c:\docume~1\brandi~1.sir\applic~1\Intuit
2009-04-03 13:32 --d----- c:\documents and settings\Brandie.SIRSTEVE
2009-04-03 13:27 185,344 a------- c:\windows\system32\Thawbrkr.dll
2009-04-03 13:27 66,594 a------- c:\windows\system32\c_864.nls
2009-04-03 13:27 66,594 a------- c:\windows\system32\c_862.nls
2009-04-03 13:27 66,594 a------- c:\windows\system32\c_720.nls
2009-04-03 13:27 66,082 a------- c:\windows\system32\c_708.nls
2009-04-03 13:27 66,082 a------- c:\windows\system32\C_28596.NLS
2009-04-03 13:27 66,082 a------- c:\windows\system32\c_10005.nls
2009-04-03 13:27 66,082 a------- c:\windows\system32\c_10004.nls
2009-04-03 13:27 10,752 a------- c:\windows\system32\c_iscii.dll
2009-04-03 13:27 5,632 a------- c:\windows\system32\kbdusa.dll
2009-04-03 13:27 66,082 a------- c:\windows\system32\c_10021.nls
2009-04-03 13:27 6,144 a------- c:\windows\system32\ftlx041e.dll
2009-03-05 16:00 --d----- c:\program files\Bonjour

==================== Find3M ====================

2006-11-27 01:47 0 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 22:23:32.50 ===============

Hello.

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see Norton and Avira.
I would recommend that you remove Avira to avoid conflict and other future problems, it's outdated and disabled anyway.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Avira AntiVira Personal
  

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Norton Internet Security in the second post)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-04-04.01 - Brandie 2009-04-04 18:14:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.146 [GMT -5:00]
Running from: c:\documents and settings\Brandie.SIRSTEVE\Desktop\Combo-Fix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-04 17:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-04-04 17:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-04-04 17:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-04-04 02:53 . 2009-04-04 02:53 d-------- c:\windows\system32\LogFiles
2009-04-03 23:34 . 2005-12-07 10:35 47,104 --a------ c:\windows\system32\WACntlPnl.cpl
2009-04-03 23:11 . 2009-04-03 23:11 d-------- C:\f939414751195ab8d437
2009-04-03 23:07 . 2009-04-03 23:07 d-------- c:\documents and settings\Brandie.SIRSTEVE\Application Data\acccore
2009-04-03 22:39 . 2009-04-04 17:45 d-------- c:\documents and settings\Brandie.SIRSTEVE\Tracing
2009-04-03 22:38 . 2009-04-03 22:38 d-------- c:\program files\Windows Live SkyDrive
2009-04-03 22:38 . 2009-04-03 22:38 d-------- c:\program files\Microsoft
2009-04-03 22:33 . 2009-04-03 22:33 d-------- c:\program files\Common Files\Windows Live
2009-04-03 18:46 . 2009-04-03 18:46 d-------- c:\program files\Avira
2009-04-03 18:46 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-03 17:38 . 2009-04-03 17:38 d---s---- c:\documents and settings\Brandie.SIRSTEVE\UserData
2009-04-03 13:35 . 2009-04-03 13:35 d-------- c:\documents and settings\Brandie.SIRSTEVE\Application Data\Symantec
2009-04-03 13:32 . 2008-07-20 04:09 d-------- c:\documents and settings\Brandie.SIRSTEVE\Application Data\Intuit
2009-04-03 13:32 . 2009-04-03 22:39 d-------- c:\documents and settings\Brandie.SIRSTEVE
2009-04-03 13:27 . 2004-08-04 08:00 185,344 --a------ c:\windows\system32\Thawbrkr.dll
2009-04-03 13:27 . 2004-08-04 08:00 66,594 --a------ c:\windows\system32\c_864.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,594 --a------ c:\windows\system32\c_862.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,594 --a------ c:\windows\system32\c_720.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_708.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\C_28596.NLS
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_10021.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_10005.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_10004.nls
2009-04-03 13:27 . 2004-08-04 08:00 10,752 --a------ c:\windows\system32\c_iscii.dll
2009-04-03 13:27 . 2004-08-04 08:00 6,144 --a------ c:\windows\system32\ftlx041e.dll
2009-04-03 13:27 . 2004-08-04 08:00 5,632 --a------ c:\windows\system32\kbdusa.dll
2009-03-14 21:04 . 2009-03-14 21:04 d-------- c:\documents and settings\Alyssa\Application Data\Apple Computer
2009-03-08 14:09 . 2009-03-08 14:09 391,536 --a------ c:\windows\system32\SETCB.tmp
2009-03-08 04:41 . 2009-03-08 04:41 5,937,152 --a------ c:\windows\system32\SETE0.tmp
2009-03-08 04:35 . 2009-03-08 04:35 385,024 --a------ c:\windows\system32\SETC1.tmp
2009-03-08 04:34 . 2009-03-08 04:34 1,469,440 --a------ c:\windows\system32\SETD6.tmp
2009-03-08 04:34 . 2009-03-08 04:34 1,206,784 --a------ c:\windows\system32\SETEF.tmp
2009-03-08 04:34 . 2009-03-08 04:34 914,944 --a------ c:\windows\system32\SETF3.tmp
2009-03-08 04:34 . 2009-03-08 04:34 236,544 --a------ c:\windows\system32\SETF1.tmp
2009-03-08 04:34 . 2009-03-08 04:34 193,536 --a------ c:\windows\system32\SETE5.tmp
2009-03-08 04:34 . 2009-03-08 04:34 109,568 --a------ c:\windows\system32\SETE8.tmp
2009-03-08 04:34 . 2009-03-08 04:34 105,984 --a------ c:\windows\system32\SETEE.tmp
2009-03-08 04:34 . 2009-03-08 04:34 43,008 --a------ c:\windows\system32\SETDA.tmp
2009-03-08 04:33 . 2009-03-08 04:33 726,528 --a------ c:\windows\system32\SETD8.tmp
2009-03-08 04:33 . 2009-03-08 04:33 420,352 --a------ c:\windows\system32\SETF0.tmp
2009-03-08 04:33 . 2009-03-08 04:33 229,376 --a------ c:\windows\system32\SETC7.tmp
2009-03-08 04:33 . 2009-03-08 04:33 125,952 --a------ c:\windows\system32\SETC6.tmp
2009-03-08 04:33 . 2009-03-08 04:33 25,600 --a------ c:\windows\system32\SETD9.tmp
2009-03-08 04:33 . 2009-03-08 04:33 18,944 --a------ c:\windows\system32\SETBE.tmp
2009-03-08 04:32 . 2009-03-08 04:32 611,840 --a------ c:\windows\system32\SETE7.tmp
2009-03-08 04:32 . 2009-03-08 04:32 173,056 --a------ c:\windows\system32\SETC3.tmp
2009-03-08 04:32 . 2009-03-08 04:32 163,840 --a------ c:\windows\system32\SETC8.tmp
2009-03-08 04:32 . 2009-03-08 04:32 128,512 --a------ c:\windows\system32\SETBB.tmp
2009-03-08 04:32 . 2009-03-08 04:32 94,720 --a------ c:\windows\system32\SETD7.tmp
2009-03-08 04:32 . 2009-03-08 04:32 72,704 --a------ c:\windows\system32\SETBA.tmp
2009-03-08 04:32 . 2009-03-08 04:32 71,680 --a------ c:\windows\system32\SETD2.tmp
2009-03-08 04:32 . 2009-03-08 04:32 55,808 --a------ c:\windows\system32\SETD0.tmp
2009-03-08 04:31 . 2009-03-08 04:31 1,638,912 --a------ c:\windows\system32\SETE1.tmp
2009-03-08 04:31 . 2009-03-08 04:31 348,160 --a------ c:\windows\system32\SETBF.tmp
2009-03-08 04:31 . 2009-03-08 04:31 216,064 --a------ c:\windows\system32\SETC0.tmp
2009-03-08 04:31 . 2009-03-08 04:31 183,808 --a------ c:\windows\system32\SETCF.tmp
2009-03-08 04:31 . 2009-03-08 04:31 66,560 --a------ c:\windows\system32\SETE2.tmp
2009-03-08 04:31 . 2009-03-08 04:31 48,128 --a------ c:\windows\system32\SETE3.tmp
2009-03-08 04:31 . 2009-03-08 04:31 46,592 --a------ c:\windows\system32\SETE9.tmp
2009-03-08 04:31 . 2009-03-08 04:31 45,568 --a------ c:\windows\system32\SETDE.tmp
2009-03-08 04:31 . 2009-03-08 04:31 34,816 --a------ c:\windows\system32\SETD5.tmp
2009-03-08 04:30 . 2009-03-08 04:30 66,560 --a------ c:\windows\system32\SETEC.tmp
2009-03-08 04:22 . 2009-03-08 04:22 156,160 --a------ c:\windows\system32\SETE4.tmp
2009-03-08 04:15 . 2009-03-08 04:15 57,667 --a------ c:\windows\system32\SETD4.tmp
2009-03-05 16:00 . 2009-03-05 16:00 d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 23:16 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-04 05:26 --------- d-----w c:\program files\Norton Internet Security
2009-04-04 04:40 --------- d-----w c:\program files\Symantec
2009-04-04 03:38 --------- d-----w c:\program files\Windows Live
2009-04-04 00:41 --------- d-----w c:\program files\Quickensetup
2009-04-04 00:41 --------- d-----w c:\program files\Quicken
2009-04-04 00:39 --------- d-----w c:\program files\Netscape
2009-04-04 00:38 --------- d-----w c:\program files\muvee Technologies
2009-04-04 00:38 --------- d-----w c:\program files\music_now
2009-04-04 00:38 --------- d-----w c:\program files\MSN Encarta Plus
2009-04-04 00:38 --------- d-----w c:\program files\Microsoft Works
2009-04-04 00:38 --------- d-----w c:\program files\Microsoft Office Trial Wizard
2009-04-04 00:38 --------- d-----w c:\program files\Microsoft Money 2006
2009-04-04 00:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 00:36 --------- d-----w c:\program files\HP Rhapsody
2009-04-04 00:34 --------- d-----w c:\program files\Google
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\muvee Technologies
2009-04-04 00:33 --------- d-----w c:\program files\Common Files\LightScribe
2009-04-04 00:33 --------- d-----w c:\program files\Common Files\Intuit
2009-04-04 00:33 --------- d-----w c:\program files\Common Files\HP
2009-04-04 00:29 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec
2009-04-04 00:29 --------- d-----w c:\documents and settings\Owner\Application Data\Intuit
2009-04-04 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-04 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-04-03 18:25 --------- d-----w c:\program files\HPQ
2009-04-03 09:33 --------- d-----w c:\program files\Pando Networks
2009-04-03 09:32 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-03 09:31 --------- d-----w c:\program files\Viewpoint
2009-02-21 06:21 529,818 ----a-w c:\windows\Help\SET9A.tmp
2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-12 02:05 13,874 ----a-w c:\windows\Help\SET99.tmp
2009-01-12 02:05 12,593 ----a-w c:\windows\Help\SET98.tmp
2009-01-07 23:21 26,144 ----a-w c:\windows\system32\spupdsvc.exe
2009-01-07 23:20 85,548 ------w c:\windows\Media\SETB8.tmp
2009-01-07 23:20 54,279 ------w c:\windows\Help\SET97.tmp
2009-01-07 23:20 474,112 ----a-w c:\windows\system32\SETEB.tmp
2009-01-07 23:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-07 23:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-07 23:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-07 23:20 23,552 ----a-w c:\windows\system32\normaliz.dll
2009-01-07 23:20 23,308 ------w c:\windows\Media\SETB6.tmp
2009-01-07 23:20 19,884 ------w c:\windows\Media\SETB5.tmp
2009-01-07 23:20 11,340 ------w c:\windows\Media\SETB7.tmp
2009-01-07 23:20 1,497,088 ----a-w c:\windows\system32\SETEA.tmp
2009-01-07 23:20 1,022,976 ----a-w c:\windows\system32\SETBD.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-03_21.07.22.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-25 14:29:04 213,216 -c----w c:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe
+ 2006-05-25 15:29:04 213,216 -c----w c:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe
- 2006-05-25 14:29:04 371,424 -c----w c:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\updspapi.dll
+ 2006-05-25 15:29:04 371,424 -c----w c:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\updspapi.dll
- 2006-05-24 16:32:48 213,216 -c----w c:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe
+ 2006-05-24 17:32:48 213,216 -c----w c:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe
- 2006-05-24 16:32:48 371,424 -c----w c:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\updspapi.dll
+ 2006-05-24 17:32:48 371,424 -c----w c:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\updspapi.dll
+ 2005-10-12 23:12:25 22,752 -c----w c:\windows\$NtUninstallKB904942$\spcustom.dll
+ 2005-10-12 23:12:25 14,048 -c----w c:\windows\$NtUninstallKB904942$\spmsg.dll
+ 2005-10-12 23:12:26 213,216 -c----w c:\windows\$NtUninstallKB904942$\spuninst.exe
+ 2005-10-12 23:12:29 716,000 -c----w c:\windows\$NtUninstallKB904942$\update.exe
+ 2005-10-12 23:12:34 371,424 -c----w c:\windows\$NtUninstallKB904942$\updspapi.dll
+ 2006-02-08 00:29:48 16,384 -c----w c:\windows\$NtUninstallKB914440$\xpsp3res.dll
+ 2005-10-12 23:12:25 22,752 -c----w c:\windows\$NtUninstallKB915865$\spcustom.dll
+ 2005-10-12 23:12:25 14,048 -c----w c:\windows\$NtUninstallKB915865$\spmsg.dll
+ 2005-10-12 23:12:26 213,216 -c----w c:\windows\$NtUninstallKB915865$\spuninst.exe
+ 2005-10-12 23:12:28 716,000 -c----w c:\windows\$NtUninstallKB915865$\update.exe
+ 2005-10-12 23:12:33 371,424 -c----w c:\windows\$NtUninstallKB915865$\updspapi.dll
+ 2009-02-02 23:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe

+ 2004-08-04 08:00:00 61,440 -c----w c:\windows\ie8\admparse.dll
+ 2004-08-04 08:00:00 99,840 -c----w c:\windows\ie8\advpack.dll
+ 2006-01-09 18:08:38 1,022,976 -c----w c:\windows\ie8\browseui.dll
+ 2004-08-04 08:00:00 35,328 -c----w c:\windows\ie8\corpol.dll
+ 2004-08-04 08:00:00 357,888 -c----w c:\windows\ie8\dxtmsft.dll
+ 2006-01-09 18:08:38 205,312 -c----w c:\windows\ie8\dxtrans.dll
+ 2004-08-04 08:00:00 38,912 -c----w c:\windows\ie8\hmmapi.dll
+ 2004-08-04 08:00:00 34,304 -c----w c:\windows\ie8\ie4uinit.exe
+ 2004-08-04 08:00:00 139,264 -c----w c:\windows\ie8\ieakeng.dll
+ 2004-08-04 08:00:00 216,576 -c----w c:\windows\ie8\ieaksie.dll
+ 2004-08-04 08:00:00 221,184 -c----w c:\windows\ie8\ieakui.dll
+ 2004-08-04 08:00:00 323,584 -c----w c:\windows\ie8\iedkcs32.dll
+ 2004-08-04 08:00:00 81,920 -c----w c:\windows\ie8\ieencode.dll
+ 2006-01-09 18:08:38 251,392 -c----w c:\windows\ie8\iepeers.dll
+ 2007-08-13 22:54:10 287,744 -c----w c:\windows\ie8\ieproxy.dll
+ 2004-08-04 08:00:00 48,640 -c----w c:\windows\ie8\iernonce.dll
+ 2004-08-04 08:00:00 62,976 -c----w c:\windows\ie8\iesetup.dll
+ 2004-08-04 08:00:00 93,184 -c----w c:\windows\ie8\iexplore.exe
+ 2004-08-04 08:00:00 35,840 -c----w c:\windows\ie8\imgutil.dll
+ 2006-01-09 18:08:38 96,256 -c----w c:\windows\ie8\inseng.dll
+ 2004-08-04 08:00:00 450,560 -c----w c:\windows\ie8\jscript.dll
+ 2004-08-04 08:00:00 15,872 -c----w c:\windows\ie8\jsproxy.dll
+ 2004-08-04 08:00:00 22,016 -c----w c:\windows\ie8\licmgr10.dll
+ 2004-08-04 08:00:00 29,184 -c----w c:\windows\ie8\mshta.exe
+ 2006-02-01 01:59:04 3,070,464 -c----w c:\windows\ie8\mshtml.dll
+ 2006-01-09 18:08:40 448,512 -c----w c:\windows\ie8\mshtmled.dll
+ 2004-08-04 08:00:00 56,832 -c----w c:\windows\ie8\mshtmler.dll
+ 2004-08-04 08:00:00 146,432 -c----w c:\windows\ie8\msls31.dll
+ 2006-01-09 18:08:40 146,432 -c----w c:\windows\ie8\msrating.dll
+ 2006-01-09 18:08:40 530,944 -c----w c:\windows\ie8\mstime.dll
+ 2004-08-04 08:00:00 96,256 -c----w c:\windows\ie8\occache.dll
+ 2006-01-09 18:08:40 39,424 -c----w c:\windows\ie8\pngfilt.dll
+ 2006-01-09 18:08:41 1,492,480 -c----w c:\windows\ie8\shdocvw.dll
+ 2006-01-09 18:08:41 474,112 -c----w c:\windows\ie8\shlwapi.dll
+ 2006-09-06 21:43:16 213,216 -c----w c:\windows\ie8\spuninst.exe
+ 2009-03-08 19:23:50 58,464 -c----w c:\windows\ie8\spuninst\iecustom.dll
+ 2009-01-07 23:20:58 231,456 -c----w c:\windows\ie8\spuninst\spuninst.exe
+ 2009-01-07 23:21:02 382,496 -c----w c:\windows\ie8\spuninst\updspapi.dll
+ 2004-08-04 08:00:00 37,888 -c----w c:\windows\ie8\url.dll
+ 2006-01-09 18:08:41 612,352 -c----w c:\windows\ie8\urlmon.dll
+ 2004-08-04 08:00:00 417,792 -c----w c:\windows\ie8\vbscript.dll
+ 2004-08-04 08:00:00 848,384 -c----w c:\windows\ie8\vgx.dll
+ 2004-08-04 08:00:00 276,480 -c----w c:\windows\ie8\webcheck.dll
+ 2006-01-09 18:08:41 658,432 -c----w c:\windows\ie8\wininet.dll
+ 2009-04-04 03:39:20 80,395 ----a-r c:\windows\Installer\{0AAA9C97-74D4-47CE-B089-0B147EF3553C}\MsblIco.Exe
+ 2009-04-04 03:38:27 62,304 ----a-r c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
- 2005-09-09 21:21:51 466,944 ----a-w c:\windows\system32\capicom.dll
+ 2006-07-25 23:03:42 466,944 ----a-w c:\windows\system32\capicom.dll
- 2004-08-11 08:45:04 28,672 ----a-w c:\windows\system32\dllcache\custsat.dll
+ 2006-06-03 11:40:49 33,792 ----a-w c:\windows\system32\dllcache\custsat.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
- 2005-09-20 01:23:26 12,944 ----a-w c:\windows\system32\drivers\symdns.sys
+ 2007-10-01 19:48:56 12,680 ----a-w c:\windows\system32\drivers\symdns.sys
- 2005-09-20 01:23:32 109,200 ----a-w c:\windows\system32\drivers\symfw.sys
+ 2007-10-01 19:49:04 98,184 ----a-w c:\windows\system32\drivers\symfw.sys
- 2005-09-20 01:23:40 31,888 ----a-w c:\windows\system32\drivers\symids.sys
+ 2007-10-01 19:49:16 31,624 ----a-w c:\windows\system32\drivers\symids.sys
- 2005-09-20 01:23:36 27,792 ----a-w c:\windows\system32\drivers\symndis.sys
+ 2007-10-01 19:49:10 28,040 ----a-w c:\windows\system32\drivers\symndis.sys
- 2005-09-20 01:23:48 24,720 ----a-w c:\windows\system32\drivers\symredrv.sys
+ 2007-10-01 19:49:20 23,944 ----a-w c:\windows\system32\drivers\symredrv.sys
- 2005-09-20 01:23:52 196,240 ----a-w c:\windows\system32\drivers\symtdi.sys
+ 2007-10-01 19:49:26 189,320 ----a-w c:\windows\system32\drivers\symtdi.sys
- 2009-04-03 18:32:35 242,328 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-04-04 04:22:18 245,512 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-08 09:32:52 36,864 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-04-04 03:51:56 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-02-25 17:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2009-04-03 18:37:49 53,684 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-04 22:47:56 57,310 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-03 18:37:49 381,794 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-04 22:47:57 387,926 ----a-w c:\windows\system32\perfh009.dat
- 2005-10-12 23:12:25 14,048 ----a-w c:\windows\system32\spmsg.dll
+ 2009-01-07 23:20:58 16,928 ------w c:\windows\system32\spmsg.dll
- 2005-09-20 01:24:00 534,160 ----a-w c:\windows\system32\SymNeti.dll
+ 2007-10-01 19:49:38 542,088 ----a-w c:\windows\system32\SymNeti.dll
- 2005-09-20 01:23:58 161,424 ----a-w c:\windows\system32\SymRedir.dll
+ 2007-10-01 19:49:36 161,160 ----a-w c:\windows\system32\SymRedir.dll
- 2004-08-04 08:00:00 49,152 ----a-w c:\windows\system32\wdigest.dll
+ 2006-03-24 04:37:50 49,152 ----a-w c:\windows\system32\wdigest.dll
- 2004-08-04 08:00:00 36,864 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
+ 2009-01-07 23:21:04 121,856 ----a-w c:\windows\system32\xmllite.dll
- 2006-02-08 00:29:48 16,384 ----a-w c:\windows\system32\xpsp3res.dll
+ 2006-10-10 06:12:10 214,528 ----a-w c:\windows\system32\xpsp3res.dll
+ 2005-09-23 03:48:08 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-23 03:48:08 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 03:48:06 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2007-11-07 01:23:58 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2007-11-07 06:19:34 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 06:19:34 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-29 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-15 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-04 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-04 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Brandie.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 18:16:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????O????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-04 18:19:17
ComboFix-quarantined-files.txt 2009-04-04 23:19:14
ComboFix2.txt 2009-04-04 02:08:19

Pre-Run: 14,389,059,584 bytes free
Post-Run: 14,402,498,560 bytes free

327

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\SETCB.tmp
c:\windows\system32\SETE0.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\SETEF.tmp
c:\windows\system32\SETD6.tmp
c:\windows\system32\SETF3.tmp
c:\windows\system32\SETF1.tmp
c:\windows\system32\SETE5.tmp
c:\windows\system32\SETE8.tmp
c:\windows\system32\SETEE.tmp
c:\windows\system32\SETDA.tmp
c:\windows\system32\SETD8.tmp
c:\windows\system32\SETF0.tmp
c:\windows\system32\SETC7.tmp
c:\windows\system32\SETC6.tmp
c:\windows\system32\SETD9.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETE7.tmp
c:\windows\system32\SETC3.tmp
c:\windows\system32\SETC8.tmp
c:\windows\system32\SETBB.tmp
c:\windows\system32\SETD7.tmp
c:\windows\system32\SETBA.tmp
c:\windows\system32\SETD2.tmp
c:\windows\system32\SETD0.tmp
c:\windows\system32\SETE1.tmp
c:\windows\system32\SETBF.tmp
c:\windows\system32\SETC0.tmp
c:\windows\system32\SETCF.tmp
c:\windows\system32\SETE2.tmp
c:\windows\system32\SETE3.tmp
c:\windows\system32\SETE9.tmp
c:\windows\system32\SETDE.tmp
c:\windows\system32\SETD5.tmp
c:\windows\system32\SETEC.tmp
c:\windows\system32\SETE4.tmp
c:\windows\system32\SETD4.tmp

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 09-04-04.01 - Brandie 2009-04-04 18:58:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.119 [GMT -5:00]
Running from: c:\documents and settings\Brandie.SIRSTEVE\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Brandie.SIRSTEVE\Desktop\CFscript.txt
AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\SETBA.tmp
c:\windows\system32\SETBB.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETBF.tmp
c:\windows\system32\SETC0.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\SETC3.tmp
c:\windows\system32\SETC6.tmp
c:\windows\system32\SETC7.tmp
c:\windows\system32\SETC8.tmp
c:\windows\system32\SETCB.tmp
c:\windows\system32\SETCF.tmp
c:\windows\system32\SETD0.tmp
c:\windows\system32\SETD2.tmp
c:\windows\system32\SETD4.tmp
c:\windows\system32\SETD5.tmp
c:\windows\system32\SETD6.tmp
c:\windows\system32\SETD7.tmp
c:\windows\system32\SETD8.tmp
c:\windows\system32\SETD9.tmp
c:\windows\system32\SETDA.tmp
c:\windows\system32\SETDE.tmp
c:\windows\system32\SETE0.tmp
c:\windows\system32\SETE1.tmp
c:\windows\system32\SETE2.tmp
c:\windows\system32\SETE3.tmp
c:\windows\system32\SETE4.tmp
c:\windows\system32\SETE5.tmp
c:\windows\system32\SETE7.tmp
c:\windows\system32\SETE8.tmp
c:\windows\system32\SETE9.tmp
c:\windows\system32\SETEC.tmp
c:\windows\system32\SETEE.tmp
c:\windows\system32\SETEF.tmp
c:\windows\system32\SETF0.tmp
c:\windows\system32\SETF1.tmp
c:\windows\system32\SETF3.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\SETBA.tmp
c:\windows\system32\SETBB.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETBF.tmp
c:\windows\system32\SETC0.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\SETC3.tmp
c:\windows\system32\SETC6.tmp
c:\windows\system32\SETC7.tmp
c:\windows\system32\SETC8.tmp
c:\windows\system32\SETCB.tmp
c:\windows\system32\SETCF.tmp
c:\windows\system32\SETD0.tmp
c:\windows\system32\SETD2.tmp
c:\windows\system32\SETD4.tmp
c:\windows\system32\SETD5.tmp
c:\windows\system32\SETD6.tmp
c:\windows\system32\SETD7.tmp
c:\windows\system32\SETD8.tmp
c:\windows\system32\SETD9.tmp
c:\windows\system32\SETDA.tmp
c:\windows\system32\SETDE.tmp
c:\windows\system32\SETE0.tmp
c:\windows\system32\SETE1.tmp
c:\windows\system32\SETE2.tmp
c:\windows\system32\SETE3.tmp
c:\windows\system32\SETE4.tmp
c:\windows\system32\SETE5.tmp
c:\windows\system32\SETE7.tmp
c:\windows\system32\SETE8.tmp
c:\windows\system32\SETE9.tmp
c:\windows\system32\SETEC.tmp
c:\windows\system32\SETEE.tmp
c:\windows\system32\SETEF.tmp
c:\windows\system32\SETF0.tmp
c:\windows\system32\SETF1.tmp
c:\windows\system32\SETF3.tmp

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 17:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-04-04 17:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-04-04 17:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-04-04 02:53 . 2009-04-04 02:53 d-------- c:\windows\system32\LogFiles
2009-04-03 23:34 . 2005-12-07 10:35 47,104 --a------ c:\windows\system32\WACntlPnl.cpl
2009-04-03 23:11 . 2009-04-03 23:11 d-------- C:\f939414751195ab8d437
2009-04-03 23:07 . 2009-04-03 23:07 d-------- c:\documents and settings\Brandie.SIRSTEVE\Application Data\acccore
2009-04-03 22:39 . 2009-04-04 19:05 d-------- c:\documents and settings\Brandie.SIRSTEVE\Tracing
2009-04-03 22:38 . 2009-04-03 22:38 d-------- c:\program files\Windows Live SkyDrive
2009-04-03 22:38 . 2009-04-03 22:38 d-------- c:\program files\Microsoft
2009-04-03 22:33 . 2009-04-03 22:33 d-------- c:\program files\Common Files\Windows Live
2009-04-03 18:46 . 2009-04-03 18:46 d-------- c:\program files\Avira
2009-04-03 18:46 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-03 17:38 . 2009-04-03 17:38 d---s---- c:\documents and settings\Brandie.SIRSTEVE\UserData
2009-04-03 13:35 . 2009-04-03 13:35 d-------- c:\documents and settings\Brandie.SIRSTEVE\Application Data\Symantec
2009-04-03 13:32 . 2008-07-20 04:09 d-------- c:\documents and settings\Brandie.SIRSTEVE\Application Data\Intuit
2009-04-03 13:32 . 2009-04-04 19:01 d-------- c:\documents and settings\Brandie.SIRSTEVE
2009-04-03 13:27 . 2004-08-04 08:00 185,344 --a------ c:\windows\system32\Thawbrkr.dll
2009-04-03 13:27 . 2004-08-04 08:00 66,594 --a------ c:\windows\system32\c_864.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,594 --a------ c:\windows\system32\c_862.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,594 --a------ c:\windows\system32\c_720.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_708.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\C_28596.NLS
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_10021.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_10005.nls
2009-04-03 13:27 . 2004-08-04 08:00 66,082 --a------ c:\windows\system32\c_10004.nls
2009-04-03 13:27 . 2004-08-04 08:00 10,752 --a------ c:\windows\system32\c_iscii.dll
2009-04-03 13:27 . 2004-08-04 08:00 6,144 --a------ c:\windows\system32\ftlx041e.dll
2009-04-03 13:27 . 2004-08-04 08:00 5,632 --a------ c:\windows\system32\kbdusa.dll
2009-03-14 21:04 . 2009-03-14 21:04 d-------- c:\documents and settings\Alyssa\Application Data\Apple Computer
2009-03-05 16:00 . 2009-03-05 16:00 d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 23:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-04 05:26 --------- d-----w c:\program files\Norton Internet Security
2009-04-04 04:40 --------- d-----w c:\program files\Symantec
2009-04-04 03:38 --------- d-----w c:\program files\Windows Live
2009-04-04 00:41 --------- d-----w c:\program files\Quickensetup
2009-04-04 00:41 --------- d-----w c:\program files\Quicken
2009-04-04 00:39 --------- d-----w c:\program files\Netscape
2009-04-04 00:38 --------- d-----w c:\program files\muvee Technologies
2009-04-04 00:38 --------- d-----w c:\program files\music_now
2009-04-04 00:38 --------- d-----w c:\program files\MSN Encarta Plus
2009-04-04 00:38 --------- d-----w c:\program files\Microsoft Works
2009-04-04 00:38 --------- d-----w c:\program files\Microsoft Office Trial Wizard
2009-04-04 00:38 --------- d-----w c:\program files\Microsoft Money 2006
2009-04-04 00:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 00:36 --------- d-----w c:\program files\HP Rhapsody
2009-04-04 00:34 --------- d-----w c:\program files\Google
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-04-04 00:34 --------- d-----w c:\program files\Common Files\muvee Technologies
2009-04-04 00:33 --------- d-----w c:\program files\Common Files\LightScribe
2009-04-04 00:33 --------- d-----w c:\program files\Common Files\Intuit
2009-04-04 00:33 --------- d-----w c:\program files\Common Files\HP
2009-04-04 00:29 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec
2009-04-04 00:29 --------- d-----w c:\documents and settings\Owner\Application Data\Intuit
2009-04-04 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-04 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-04-03 18:25 --------- d-----w c:\program files\HPQ
2009-04-03 09:33 --------- d-----w c:\program files\Pando Networks
2009-02-21 06:21 529,818 ----a-w c:\windows\Help\SET9A.tmp
2009-02-05 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-12 02:05 13,874 ----a-w c:\windows\Help\SET99.tmp
2009-01-12 02:05 12,593 ----a-w c:\windows\Help\SET98.tmp
2009-01-07 23:20 85,548 ------w c:\windows\Media\SETB8.tmp
2009-01-07 23:20 54,279 ------w c:\windows\Help\SET97.tmp
2009-01-07 23:20 23,308 ------w c:\windows\Media\SETB6.tmp
2009-01-07 23:20 19,884 ------w c:\windows\Media\SETB5.tmp
2009-01-07 23:20 11,340 ------w c:\windows\Media\SETB7.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-29 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-15 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-04 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-04 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Brandie.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 19:03:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\AIM6\aolsoftware.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-04-04 19:12:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 00:12:23
ComboFix2.txt 2009-04-04 23:19:19
ComboFix3.txt 2009-04-04 02:08:19

Pre-Run: 14,391,078,912 bytes free
Post-Run: 14,379,675,648 bytes free

274

Hello.
How is the machine now?

I'm not really sure x.x The only thing that made me think there was a problem was the spyware program, the window that kept popping up with the 2 file names and the random file on my desk top. I don't know if there was anything else problematic going on so I tried to start in safe mode and that didn't work so well... However, I just tried to start in safe mode again and it stopped at mup.sys just as before.

Oh, and hello back to you o.o;

Hi.

Combofix never really detected anything the first time. I can't see any problems here.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Why would I have pop ups with those file names on them? Is it possible that it was just spyware and that I got rid of it already? Can something else be causing my computer not to be able to start in safe mode (which I tried because of a friend's recommendation)? If these are just ridiculously useless qustions, I'm sorry to inconvenience you (if I am). I'm not very computer tech oriented.

Hello.
In the first DDS scan, I saw this file.
C:\pv.exe

But I also saw Combofix's files run at only 2mins after that file was dropped by something, probably malware. So you already ran Combofix yourself, that's probably what got rid of the infection before you came here. I think you killed this yourself.

I also see you have renamed Combofix to Combo-Fix. Have you been following someone else's instructions?

But note that Combofix shouldn't be used without supervision, Combofix is VERY powerful and can leave your machine badly damaged should something go wrong.

Lastly, can you check that pv.exe is no longer sat in the C:\ drive? Combofix log didn't show it.

I was having a friend help me over the phone, but then I had to go to work. I figured I would deal with it later, but she wasn't available later, so I found you. pv.exe looks like it is still listed on the C:\ drive.

Okay, delete the pv.exe file.

Are you still getting popups?

Deleted, and no. So... is my computer is all clean, or is there something else I should do?


P.S. thank you, thank you, thank you for helping me! ^.^

Yeah, I think your machine is fine now.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.