Solved [Active] IE popups, clicking sounds, and volume issues - logs attached

[MM225]

Hi,

I have read through several threads where users have similar issues: a clicking sound in the background, iexplore.exe in the task manager that I can't kill, IE pop-ups (I use Chrome) and random audio ads without pop-ups.

I was switching from AVG to Avast and picked up some malware in the few minutes that my computer was unprotected. I've uninstalled Java & Adobe, as I read that those can be vulnerabilities.

I'm running XP SP3, and I thought it was fully updated but it is now asking me to download updates that I am pretty sure I already had.

I have an installation of Linux on a separate partition of my C drive and a bootloader menu (GRUB) that allows me to select my OS when I boot up. I installed this because I thought it would be interesting to mess with Linux, but I haven't used it in months. The bootloader is still around, though. (not sure if this will show up on the logs, so hopefully this will clear up any confusion.)

I've run the six steps, and all logs will be pasted in my next post(s). Thanks in advance for any help you can give me.

 

[MM225]

Malwarebytes, GMER, & DDS logs

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4299

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/19/2010 8:11:44 AM
mbam-log-2010-07-19 (08-11-44).txt

Scan type: Quick scan
Objects scanned: 149853
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--



DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 14:53:41.31 on Tue 07/20/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2181 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe 4
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Documents and Settings\Matt\Desktop\dds.scr
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\program files\virtual account numbers\BhoCitUS.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ipTray.exe] "c:\program files\intel\idu\iptray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Citi Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - c:\progra~1\virtua~1\CitiVAN.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\xnkrl9ok.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\matt\application data\mozilla\firefox\profiles\xnkrl9ok.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\matt\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\matt\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\matt\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-10 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-10 165456]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-10 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-10 40384]
R2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-8-18 67072]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-10 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-10 40384]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [2007-3-25 140416]
S3 pbfilter;pbfilter;c:\program files\peerblock_r181__win32_release\pbfilter.sys [2009-9-28 14424]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys --> c:\windows\system32\drivers\tbcspud.sys [?]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys --> c:\windows\system32\drivers\tbcwdm.sys [?]
S3 vtdg46xx;vtdg46xx;\??\c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys --> c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [?]

=============== Created Last 30 ================

2010-07-19 11:37:43 0 d-sha-r- C:\cmdcons
2010-07-19 11:35:40 98816 ----a-w- c:\windows\sed.exe
2010-07-19 11:35:40 77312 ----a-w- c:\windows\MBR.exe
2010-07-19 11:35:40 256512 ----a-w- c:\windows\PEV.exe
2010-07-19 11:35:40 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 02:54:11 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-07-10 20:10:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-10 16:45:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-10 16:45:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-10 16:39:15 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-10 15:50:37 0 d-----w- c:\windows\pss
2010-07-10 15:00:57 0 d-----w- c:\program files\PeerBlock_r181__Win32_Release
2010-07-10 14:51:20 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-07-10 14:49:31 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-07-10 14:47:58 0 d-----w- c:\program files\COMODO
2010-07-10 14:46:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-10 14:45:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-07-10 14:36:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 14:32:32 0 d-----w- c:\docume~1\matt\applic~1\Malwarebytes
2010-07-10 14:32:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 14:32:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 14:32:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 14:32:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 14:09:54 38848 ----a-w- c:\windows\avastSS.scr
2010-07-10 14:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-01 13:03:33 0 d-----w- c:\program files\iPod
2010-07-01 13:03:23 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-01 12:55:55 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-06-15 00:02:56 256 ----a-w- c:\documents and settings\matt\pool.bin
2010-06-04 15:55:58 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 23:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-01 23:00:22 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 23:00:20 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2007-07-10 19:24:50 88 --sh--r- c:\windows\system32\F6A9BE14DE.sys
2007-07-10 19:25:10 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-01-03 20:33:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010320090104\index.dat

============= FINISH: 14:54:31.26 ===============

 

[MM225]

Attach log

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume5
Install Date: 11/28/2006 8:23:37 PM
System Uptime: 7/20/2010 2:46:52 PM (0 hours ago)

Motherboard: Intel Corporation | | DG965WH
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 128 GiB total, 11.603 GiB free.
D: is FIXED (NTFS) - 170 GiB total, 25.748 GiB free.
Y: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\AWY0001\4&12686F5B&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\4&12686F5B&0
Service:

==== System Restore Points ===================

RP954: 4/22/2010 6:55:23 PM - System Checkpoint
RP955: 4/23/2010 8:14:41 PM - System Checkpoint
RP956: 4/24/2010 9:17:50 AM - Avg Update
RP957: 4/24/2010 9:18:40 AM - Avg Update
RP958: 4/25/2010 11:15:11 AM - System Checkpoint
RP959: 4/26/2010 11:29:30 AM - System Checkpoint
RP960: 4/27/2010 5:58:03 PM - System Checkpoint
RP961: 4/28/2010 6:29:33 PM - System Checkpoint
RP962: 4/30/2010 7:44:54 PM - System Checkpoint
RP963: 5/1/2010 8:10:06 PM - System Checkpoint
RP964: 5/2/2010 8:21:07 PM - System Checkpoint
RP965: 5/3/2010 9:39:37 PM - System Checkpoint
RP966: 5/6/2010 9:26:39 AM - Avg Update
RP967: 5/10/2010 6:29:57 PM - System Checkpoint
RP968: 5/11/2010 7:53:44 PM - System Checkpoint
RP969: 5/12/2010 9:25:18 PM - System Checkpoint
RP970: 5/15/2010 9:29:30 AM - System Checkpoint
RP971: 5/16/2010 11:00:15 AM - System Checkpoint
RP972: 5/19/2010 8:18:59 PM - System Checkpoint
RP973: 5/22/2010 10:41:09 AM - System Checkpoint
RP974: 5/23/2010 11:16:04 AM - System Checkpoint
RP975: 5/26/2010 9:02:00 AM - System Checkpoint
RP976: 5/27/2010 6:10:35 PM - System Checkpoint
RP977: 5/28/2010 7:23:22 PM - System Checkpoint
RP978: 5/29/2010 7:40:19 PM - System Checkpoint
RP979: 5/31/2010 10:56:48 AM - System Checkpoint
RP980: 6/1/2010 1:06:38 PM - System Checkpoint
RP981: 6/3/2010 5:38:32 PM - Avg Update
RP982: 6/11/2010 8:11:05 AM - System Checkpoint
RP983: 6/12/2010 11:03:33 AM - System Checkpoint
RP984: 6/13/2010 12:01:41 PM - System Checkpoint
RP985: 6/14/2010 7:46:04 PM - System Checkpoint
RP986: 6/14/2010 8:18:15 PM - Removed BlackBerry Desktop Software 4.7.
RP987: 6/14/2010 8:33:59 PM - Installed BlackBerry Desktop Software 5.0.1.
RP988: 6/14/2010 9:22:50 PM - Removed BlackBerry Desktop Software 5.0.1.
RP989: 6/14/2010 9:34:19 PM - Installed BlackBerry Desktop Software 5.0.1.
RP990: 6/17/2010 10:41:36 PM - System Checkpoint
RP991: 6/21/2010 7:59:15 AM - System Checkpoint
RP992: 6/22/2010 7:39:25 PM - System Checkpoint
RP993: 6/23/2010 8:51:48 PM - System Checkpoint
RP994: 6/25/2010 7:31:49 AM - System Checkpoint
RP995: 6/26/2010 3:08:58 PM - Avg Update
RP996: 6/27/2010 4:08:54 PM - System Checkpoint
RP997: 6/29/2010 6:26:57 PM - System Checkpoint
RP998: 6/30/2010 7:18:57 PM - System Checkpoint
RP999: 7/1/2010 7:30:37 PM - System Checkpoint
RP1000: 7/2/2010 8:55:17 PM - System Checkpoint
RP1001: 7/3/2010 10:55:17 PM - System Checkpoint
RP1002: 7/5/2010 12:55:17 AM - System Checkpoint
RP1003: 7/6/2010 7:48:04 AM - System Checkpoint
RP1004: 7/8/2010 8:22:53 AM - System Checkpoint
RP1005: 7/10/2010 9:57:58 AM - Removed AVG Free 9.0
RP1006: 7/10/2010 10:09:49 AM - avast! Free Antivirus Setup
RP1007: 7/10/2010 10:45:53 AM - Installed Java(TM) 6 Update 20
RP1008: 7/10/2010 10:47:55 AM - Installed COMODO Internet Security
RP1009: 7/10/2010 11:00:27 AM - Removed BlackBerry Desktop Software 5.0.1.
RP1010: 7/10/2010 11:47:29 AM - Software Distribution Service 3.0
RP1011: 7/10/2010 12:29:05 PM - Removed Ad-Aware
RP1012: 7/10/2010 9:17:41 PM - Software Distribution Service 3.0
RP1013: 7/11/2010 9:35:18 PM - System Checkpoint
RP1014: 7/13/2010 7:49:46 AM - System Checkpoint
RP1015: 7/13/2010 10:48:53 PM - Removed Adobe Reader 9.1.2.
RP1016: 7/13/2010 10:50:06 PM - Removed Java(TM) 6 Update 7
RP1017: 7/13/2010 10:51:11 PM - Removed Java(TM) 6 Update 5
RP1018: 7/13/2010 10:52:02 PM - Removed Java(TM) 6 Update 3
RP1019: 7/13/2010 10:53:45 PM - Removed Java(TM) 6 Update 11
RP1020: 7/15/2010 8:30:34 AM - System Checkpoint
RP1021: 7/16/2010 8:15:03 PM - System Checkpoint
RP1022: 7/17/2010 8:25:32 PM - System Checkpoint
RP1023: 7/19/2010 7:23:51 AM - Removed Xmarks for IE

==== Installed Programs ======================


µTorrent
AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Shockwave Player
Adobe Stock Photos 1.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
avast! Free Antivirus
Bonjour
BurnAware Free Edition 1.2.9
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Comcast High-Speed Internet Install Wizard
COMODO Internet Security
Critical Update for Windows Media Player 11 (KB959772)
DellTouch
Deus Ex
DivX Codec
DivX Converter
DivX Plus DirectShow Filters
DivX Version Checker
EAX4 Unified Redist
ffdshow [rev 1723] [2007-12-24]
Full Tilt Poker
Google Chrome
Google Earth
Google SketchUp 7.1
Google Talk Plugin
Google Update Helper
H.264 Decoder
High Definition Audio Driver Package - KB888111
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
HP LaserJet P1000 series
HPCarePackCore
HPCarePackProducts
HPSSupply
Image Resizer Powertoy for Windows XP
ImgBurn
Intel(R) Desktop Utilities
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) PRO Network Connections
IsoBuster 2.1
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Launchy 2.1.2
LimeWire 4.12.6
LiveUpdate 3.1 (Symantec Corporation)
Logitech Gaming Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Bootvis
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft Flight Simulator X
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Streets & Trips 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser and SDK
MKV Splitter
mkv2vob
Mozilla Firefox (3.5.10)
MrvlUsgTracking
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
Pandora
PC Inspector File Recovery
Picasa 3
PokerStars
PokerTracker 3 (remove only)
PostgreSQL 8.3
PowerISO
QuickTime
RealPlayer
Safari
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SigmaTel Audio
Snes9x
Supercast
SyncBack
The Rosetta Stone
TTS Wrapper
TVersity Codec Pack 1.2
TVersity Media Server 1.0.0.8 RC5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6i
Virtual Account Numbers
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VoiceOver Kit
WebFldrs XP
Windows Essentials Media Codec Pack 1.0
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/20/2010 7:18:57 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Web Scanner service.
7/20/2010 7:18:52 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Mail Scanner service.
7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The SigmaTel Audio Service service terminated unexpectedly. It has done this 1 time(s).
7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The Admin Works Agent X8 service terminated unexpectedly. It has done this 1 time(s).
7/19/2010 8:01:39 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/19/2010 8:01:39 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/19/2010 7:49:47 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
7/18/2010 7:47:53 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
7/18/2010 7:15:57 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
7/15/2010 11:31:08 PM, error: PlugPlayManager [12] - The device 'PHILIPS SPD2413P' (IDE\CdRomPHILIPS_SPD2413P________________________GP03____\6&2295197d&0&0.0.0) disappeared from the system without first being prepared for removal.
7/13/2010 11:13:05 PM, error: PlugPlayManager [12] - The device 'ST3120814A' (IDE\DiskST3120814A______________________________3.AAD___\6&2295197d&0&0.1.0) disappeared from the system without first being prepared for removal.
7/13/2010 10:54:35 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/13/2010 10:46:04 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
7/13/2010 10:43:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/13/2010 10:30:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/13/2010 10:30:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi cmdGuard cmdHlp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip
7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[MM225]

The MBRcheck link appears to be broken - is there another link where I can download it? Thanks!

 

[Broni]

Hmmm...it doesn't work indeed.

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[MM225]

remover.exe results

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive1
MD5: b19ee33a0168d5f0bb9afbe12e2bc035
\\.\D: -> \\.\PhysicalDrive1

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

 

[Broni]

Somehow, email notification about your reply missed me. I apologize for that
If you're still out there, please reply to my post.

 

[MM225]

Hi Broni,

Thanks for the reply. I'm still here & haven't changed anything since my last post.

 

[Broni]

Cool
I apologize one more time

Rerun MBRCheck.
Enter 'Y' and hit ENTER for more options and select option "2".
When asked for physical disk number, enter 1.
Next, enter 1 (Windows XP) for MBR code.
Post resulting log.

 

[MM225]

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive1

\\.\D: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive1 Unknown MBR code





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.



Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): Dumping \\.\PhysicalDisk1...

Enter filename to dump to:

 

[MM225]

The above was all I could get - I tried to enter a filename to dump to but couldn't get the format to be readable. Let me know if I'm doing that wrong. Thanks!

 

[Broni]

That's fine. We'll approach it in different way...

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh MBRCheck log.

 

[MM225]

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive1

\\.\D: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive1 Windows XP MBR code detected





Done! Press ENTER to exit...

 

[MM225]

And FYI, the rogue iexplore.exe is not currently appearing in my Task Manager.

 

[Broni]

Excellent

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[MM225]

Here's the combofix log:

 

[Broni]

Please, restart computer BEFORE running what's below...


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\F6A9BE14DE.sys

FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\TCPIP.SYS
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\dllcache\TCPIP.SYS

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[MM225]

OK, here's the resulting log:

 

[MM225]

BTW this is amazing - thank you so much for the help so far.

 

[Broni]

You're very welcome

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Broni]

When you're done with OTL....

There is a new Combofix version, which deals with MBR infection, so I want to make sure, that infection is really gone.
You uninstalled Combofix, but make sure, there is no any Combofix file on your desktop.
Then...
Download fresh copy from HERE
Run it and post resulting log.

 

[MM225]

OTL & Extras logs

Here are the logs from OTL:

 

[Broni]

Before I review your OTL log, please read my previous reply (#22).

 

[MM225]

Here's the new combofix log - sorry but it's also too long to copy/paste.