Here is Combo text. will post other logs shortly:
ComboFix 10-05-11.05 - Lee 12/05/2010 12:32:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.672 [GMT 1:00]
Running from: c:\documents and settings\Lee\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Lee\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lee\g2mdlhlpx.exe
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.
2010-05-01 07:54 . 2010-05-01 07:54 -------- d-----w- c:\program files\Hijack this log
2010-04-30 16:59 . 2010-04-30 16:59 -------- d-----w- c:\program files\Trend Micro
2010-04-30 16:56 . 2010-04-30 16:56 -------- d-----w- c:\documents and settings\Lee\Application Data\Malwarebytes
2010-04-30 16:55 . 2010-04-30 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 16:55 . 2010-05-05 07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 12:45 . 2010-04-29 12:45 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-29 12:44 . 2010-04-29 12:44 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-29 12:44 . 2010-04-29 12:44 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-29 12:44 . 2010-02-04 01:40 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-04-29 12:44 . 2010-02-27 02:23 116784 ----a-r- c:\windows\system32\drivers\Ironx86.sys
2010-04-29 12:44 . 2010-02-27 02:23 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-04-29 12:44 . 2010-02-04 01:40 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-04-29 12:44 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys
2010-04-29 12:44 . 2010-02-25 23:22 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\windows\system32\drivers\N360
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\program files\Windows Sidebar
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\program files\NortonInstaller
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-29 12:11 . 2010-04-29 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-23 14:08 . 2010-04-23 14:08 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Real
2010-04-23 14:07 . 2010-04-23 14:07 -------- d-----w- c:\program files\Common Files\xing shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 07:19 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-04 10:41 . 2010-05-04 10:41 439816 ----a-w- c:\documents and settings\Lee\Application Data\Real\Update\setup3.10\setup.exe
2010-04-30 16:59 . 2010-04-30 16:59 388096 ----a-r- c:\documents and settings\Lee\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 12:47 . 2006-10-16 15:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-29 12:44 . 2008-04-25 17:16 -------- d-----w- c:\program files\Symantec
2010-04-29 12:44 . 2010-04-29 12:44 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-29 12:44 . 2010-04-29 12:44 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-29 12:44 . 2008-04-25 17:18 -------- d-----w- c:\program files\Norton 360
2010-04-29 12:00 . 2009-07-09 14:10 -------- d-----w- c:\program files\FireTrust
2010-04-29 12:00 . 2006-10-18 07:48 -------- d-----w- c:\documents and settings\Lee\Application Data\MailWasherPro
2010-04-29 11:28 . 2009-12-12 14:20 120 ----a-w- c:\windows\Edulikovuviy.dat
2010-04-29 07:26 . 2009-12-12 14:20 0 ----a-w- c:\windows\Dtihigokimakigej.bin
2010-04-23 14:08 . 2007-01-24 15:23 -------- d-----w- c:\program files\Google
2010-04-23 14:07 . 2006-10-21 14:02 -------- d-----w- c:\program files\Common Files\Real
2010-04-23 14:06 . 2006-07-11 18:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-16 07:30 . 2006-10-16 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-15 07:39 . 2005-10-26 18:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 13:38 . 2010-01-19 10:57 -------- d-----w- c:\documents and settings\Lee\Application Data\deskUNPDF
2010-03-24 10:11 . 2010-03-24 10:11 50354 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\uninstall.exe
2010-03-24 10:11 . 2010-03-24 10:11 -------- d-----w- c:\documents and settings\Lee\Application Data\Facebook
2010-03-16 09:02 . 2010-03-16 09:02 -------- d-----w- c:\documents and settings\Lee\Application Data\Unity
2010-03-13 13:54 . 2010-03-13 13:54 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-03-11 12:38 . 2004-08-20 17:08 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-20 17:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-20 17:07 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-20 17:08 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-28 10:13 . 2010-02-28 10:12 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-24 13:11 . 2004-08-20 17:08 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2004-08-20 17:08 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-01 08:29 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-20 17:07 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-20 17:08 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2001-11-05 09:30 . 2008-05-19 12:02 165376 ----a-w- c:\program files\UNWISE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IW_Drop_Icon"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 1346560]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-31 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"SiSPower"="SiSPower.dll" [2006-01-09 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-18 98304]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-23 198160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2006-10-17 131584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-10-16 262144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-26 08:59 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SymDS.sys [29/04/2010 13:44 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SymEFA.sys [29/04/2010 13:44 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [06/05/2010 08:14 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\cchpx86.sys [29/04/2010 13:44 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.sys [29/04/2010 13:44 116784]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [01/09/2004 14:50 188416]
R2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [29/04/2010 13:44 126392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [10/02/2005 11:55 62976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/04/2010 13:45 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [08/05/2010 08:25 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/12/2009 18:57 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 17:57]
2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 17:57]
2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{898C5654-CDAC-482F-B8DF-430F31E4F8DA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://home.endeavour.co.uk/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} -
hxxp://ps.itv.mop.com/dn/files/pCastCtl ... signed.cabFF - ProfilePath - c:\documents and settings\Lee\Application Data\Mozilla\Firefox\Profiles\jryr85ce.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Lee\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Lee\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12} - c:\documents and settings\Lee\Local Settings\Application Data\{1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12}
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Adobe Digital Editions - c:\documents and settings\Lee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions2x0\digitaleditions2x0.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-12 12:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1471223198-1642118984-4230253141-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(604)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
.
**************************************************************************
.
Completion time: 2010-05-12 12:55:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 11:55
ComboFix2.txt 2010-05-05 13:15
Pre-Run: 18,189,004,800 bytes free
Post-Run: 18,192,986,112 bytes free
- - End Of File - - C42DE86206F5A1E8043FFFC38A91568F