Inactive Can't see files, can't install MWB, malware removal log analysis required please

[ub3rtiger]

Hi All,

A family members PC was held hostage by malware, I advised the run MWB, which they did and they could access the net again, but all files, programs etc. had been removed.

I visited in person, tried to install MWB and got access denied errors. Found this link, followed the instructions.

I ran the MBRCheck initially, then ran combofix and that seems to have fixed the problems. Is there anything else that I should do to try and make sure that it's truly clean?

Can someone please advise if I need to take further action?

Thanks!

{Original MBR Check]MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xB9F4A000 pcmcia.sys
0xBA0B8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xB9F05000 dmio.sys
0xBA328000 PartMgr.sys
0xBA4C4000 ACPIEC.sys
0xBA670000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA0C8000 VolSnap.sys
0xB9E2A000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E0A000 fltMgr.sys
0xB9DF8000 sr.sys
0xBA5AC000 DLACDBHM.SYS
0xB9DE1000 DRVMCDB.SYS
0xBA0F8000 PxHelp20.sys
0xB9DCA000 KSecDD.sys
0xB9D3D000 Ntfs.sys
0xB9D10000 NDIS.sys
0xBA108000 PBADRV.sys
0xBA118000 ohci1394.sys
0xBA128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9CF6000 Mup.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8452000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB843E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB841A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB83F2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB824A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB8218000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB8204000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xB81F3000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA308000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB81C6000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA318000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB814B000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA148000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9C89000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA158000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA168000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA178000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8128000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9C81000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9C7D000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA188000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB80F0000 \SystemRoot\system32\drivers\srs_PremiumSound_i386.sys
0xBA777000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA198000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C79000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB80D9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB80C8000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8098000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8ADF000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5E8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB803A000 \SystemRoot\system32\DRIVERS\update.sys
0xB945C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xA4656000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA4646000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA62C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA3065000 \SystemRoot\system32\drivers\sthda.sys
0xA3041000 \SystemRoot\system32\drivers\portcls.sys
0xA4636000 \SystemRoot\system32\drivers\drmk.sys
0xA3025000 \SystemRoot\system32\drivers\AESTAud.sys
0xA3005000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x9D893000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0x9BFB9000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x9D697000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9CAE1000 \SystemRoot\System32\Drivers\Null.SYS
0x9D695000 \SystemRoot\System32\Drivers\Beep.SYS
0x9CB06000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0x9CAFE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x9CAF6000 \SystemRoot\System32\drivers\vga.sys
0x9D693000 \SystemRoot\System32\Drivers\mnmdd.SYS
0x9D691000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9C6C2000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9C6BA000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9D488000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9BF86000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9BF2D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9BF05000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9BEE3000 \SystemRoot\System32\drivers\afd.sys
0x9D0AA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9D09A000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9BEB8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9BE48000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9D08A000 \SystemRoot\system32\DRIVERS\arp1394.sys
0x9D07A000 \SystemRoot\System32\Drivers\Fips.SYS
0x9BE24000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9BD49000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9C27F000 \SystemRoot\System32\drivers\Dxapi.sys
0x9C682000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7B3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF2E8000 \SystemRoot\System32\igxpdx32.DLL
0xBF691000 \SystemRoot\System32\ATMFD.DLL
0xA1452000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA71A000 \SystemRoot\System32\Drivers\DLADResM.SYS
0x9BCF0000 \SystemRoot\System32\Drivers\DLAIFS_M.SYS
0x9C0C5000 \SystemRoot\System32\Drivers\DLAOPIOM.SYS
0xB9454000 \SystemRoot\System32\Drivers\DLAPoolM.SYS
0x9C0BD000 \SystemRoot\System32\Drivers\DLABMFSM.SYS
0x9C0B5000 \SystemRoot\System32\Drivers\DLABOIOM.SYS
0x9BCDA000 \SystemRoot\System32\Drivers\DLAUDFAM.SYS
0x9BCC3000 \SystemRoot\System32\Drivers\DLAUDF_M.SYS
0xA3C2D000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9BC36000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA2C8000 \SystemRoot\system32\drivers\sysaudio.sys
0x9BACB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9B9FB000 \SystemRoot\system32\DRIVERS\srv.sys
0x9B3DB000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA378000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9FCE112-9C35-4D87-8298-1EF0D6B58735}\MpKsl8b5a6c57.sys
0x9B1E2000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA438000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
844 C:\WINDOWS\system32\smss.exe
916 csrss.exe
940 C:\WINDOWS\system32\winlogon.exe
984 C:\WINDOWS\system32\services.exe
996 C:\WINDOWS\system32\lsass.exe
1180 C:\Program Files\Fingerprint Sensor\AtService.exe
1200 C:\WINDOWS\system32\svchost.exe
1268 svchost.exe
1308 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1344 C:\WINDOWS\system32\svchost.exe
1460 svchost.exe
1516 svchost.exe
1792 C:\WINDOWS\system32\WLTRYSVC.EXE
1804 C:\WINDOWS\system32\BCMWLTRY.EXE
1864 C:\WINDOWS\system32\spoolsv.exe
1908 C:\drivers\audio\R213367\stacsv.exe
816 svchost.exe
836 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
1220 C:\WINDOWS\system32\svchost.exe
1320 C:\Program Files\Java\jre6\bin\jqs.exe
1428 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1624 C:\WINDOWS\system32\svchost.exe
200 C:\WINDOWS\system32\svchost.exe
1968 C:\WINDOWS\system32\svchost.exe
2072 C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
2124 C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
2200 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2440 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2720 C:\WINDOWS\explorer.exe
2792 C:\Program Files\TeamViewer\Version6\TeamViewer.exe
2868 C:\WINDOWS\system32\searchindexer.exe
3472 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
3548 C:\Program Files\Microsoft Security Client\msseces.exe
3556 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
3588 C:\WINDOWS\system32\ctfmon.exe
3604 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
4080 C:\Program Files\TeamViewer\Version6\tv_w32.exe
2516 C:\WINDOWS\system32\svchost.exe
680 wmiprvse.exe
600 C:\Program Files\Internet Explorer\iexplore.exe
768 C:\Program Files\Internet Explorer\iexplore.exe
1632 C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
3080 C:\WINDOWS\system32\searchprotocolhost.exe
240 searchfilterhost.exe
3016 C:\Program Files\Internet Explorer\iexplore.exe
204 C:\WINDOWS\system32\searchprotocolhost.exe
248 C:\Documents and Settings\gutter helmet\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`05649600 (NTFS)

PhysicalDrive0 Model Number: ST9160314AS, Rev: 0003DEM1

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!
--------------
ComboFix 11-12-17.02 - gutter helmet 12/17/2011 14:53:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2003.1519 [GMT -5:00]
Running from: c:\documents and settings\gutter helmet\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\nhQGULMaTg8krJ.exe
c:\documents and settings\gutter helmet\GoToAssistDownloadHelper.exe
c:\documents and settings\gutter helmet\Local Settings\Temporary Internet Files\616xOp7Ya.jpg
c:\documents and settings\gutter helmet\Local Settings\Temporary Internet Files\LAYa5MX67.jpg
c:\documents and settings\gutter helmet\Local Settings\Temporary Internet Files\NXxLbMKmM.jpg
c:\documents and settings\gutter helmet\Local Settings\Temporary Internet Files\y51b3.jpg
c:\documents and settings\gutter helmet\Start Menu\Programs\System Fix
c:\documents and settings\gutter helmet\Start Menu\Programs\System Fix\System Fix.lnk
c:\documents and settings\gutter helmet\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\windows\CSC\d6
c:\windows\EventSystem.log
.
.
((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 )))))))))))))))))))))))))))))))
.
.
2011-12-17 19:38 . 2011-12-17 19:38 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9FCE112-9C35-4D87-8298-1EF0D6B58735}\MpKsl8b5a6c57.sys
2011-12-17 19:38 . 2011-12-17 19:38 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9FCE112-9C35-4D87-8298-1EF0D6B58735}\offreg.dll
2011-12-17 16:22 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9FCE112-9C35-4D87-8298-1EF0D6B58735}\mpengine.dll
2011-12-12 17:48 . 2011-12-17 19:42 559612 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 10:47 . 2011-01-03 13:33 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-10 14:22 . 2008-04-25 21:27 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-25 16:16 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 07:59 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-25 16:16 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-25 16:16 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-2-18 323584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell ControlPoint System Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
2009-03-17 01:57 729088 ---ha-w- c:\windows\system32\AESTFltr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2009-02-22 21:51 200704 ---ha-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2010-01-19 07:32 2396160 ---ha-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-26 21:08 166912 ---ha-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ---ha-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-02-11 23:38 186904 ---ha-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-26 21:08 134656 ---ha-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-09-11 18:36 128232 ---h--w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-26 21:08 134656 ---ha-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-19 07:21 149280 ---ha-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-03-17 01:57 483420 ---ha-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R1 MpKsl8b5a6c57;MpKsl8b5a6c57;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9FCE112-9C35-4D87-8298-1EF0D6B58735}\MpKsl8b5a6c57.sys [12/17/2011 2:38 PM 29904]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2009 6:33 PM 1803512]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2/11/2010 6:42 AM 172328]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [11/30/2010 12:08 PM 2222376]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/19/2010 3:58 AM 112512]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/19/2010 3:58 AM 109568]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [1/19/2010 2:31 AM 232744]
S1 MpKslddd1ac8f;MpKslddd1ac8f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DD23F28-656E-4E39-A2D8-CF52A28D06A4}\MpKslddd1ac8f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DD23F28-656E-4E39-A2D8-CF52A28D06A4}\MpKslddd1ac8f.sys [?]
S1 MpKslfc414eef;MpKslfc414eef;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C99AB9D-7F45-47F1-8F06-C8689D441B66}\MpKslfc414eef.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C99AB9D-7F45-47F1-8F06-C8689D441B66}\MpKslfc414eef.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 8:54 AM 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 8:54 AM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL8B5A6C57
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:54]
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:54]
.
2011-12-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\gutter helmet\Application Data\Mozilla\Firefox\Profiles\x8tv128m.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSConfigStartUp-ChangeTPMAuth - c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe
MSConfigStartUp-DellConnectionManager - c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
MSConfigStartUp-DellControlPoint - c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
MSConfigStartUp-USCService - c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
MSConfigStartUp-WavXMgr - c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-17 14:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-17 15:02:16
ComboFix-quarantined-files.txt 2011-12-17 20:02
.
Pre-Run: 131,884,187,648 bytes free
Post-Run: 132,802,142,208 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 839FC160F88DDAB43109E865CD68A59C

---------------------------
Edit: Duplicate MBR log removed by Bobbye
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xB9F4A000 pcmcia.sys
0xBA0B8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xB9F05000 dmio.sys
0xBA328000 PartMgr.sys
0xBA4C4000 ACPIEC.sys
0xBA670000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA0C8000 VolSnap.sys
0xB9E2A000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E0A000 fltMgr.sys
0xB9DF8000 sr.sys
0xBA5AC000 DLACDBHM.SYS
0xB9DE1000 DRVMCDB.SYS
0xBA0F8000 PxHelp20.sys
0xB9DCA000 KSecDD.sys
0xB9D3D000 Ntfs.sys
0xB9D10000 NDIS.sys
0xBA108000 PBADRV.sys
0xBA118000 ohci1394.sys
0xBA128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9CF6000 Mup.sys
0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8152000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB813E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA390000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB811A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA388000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB80F2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7F4A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB7F18000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB7F04000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xB7EF3000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB7EC6000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB7E4B000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA398000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9C85000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7E28000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9C7D000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9C79000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA208000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7DF0000 \SystemRoot\system32\drivers\srs_PremiumSound_i386.sys
0xBA6FD000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA218000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C75000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7DD9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8C6D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8C5D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7DC8000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8C4D000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7D98000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8C3D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5FC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7D3A000 \SystemRoot\system32\DRIVERS\update.sys
0xB95E6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xA412A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA411A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA642000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA254F000 \SystemRoot\system32\drivers\sthda.sys
0xA252B000 \SystemRoot\system32\drivers\portcls.sys
0xA410A000 \SystemRoot\system32\drivers\drmk.sys
0xA250F000 \SystemRoot\system32\drivers\AESTAud.sys
0xA24EF000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x9C94A000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0x9B6BD000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA666000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA690000 \SystemRoot\System32\Drivers\Null.SYS
0xBA668000 \SystemRoot\System32\Drivers\Beep.SYS
0xA3173000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xA316B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x9BDFE000 \SystemRoot\System32\drivers\vga.sys
0xBA66A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA66C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9BDF6000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9BDEE000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9BDB2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9B662000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9B609000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9B5E1000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9B5BB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9B599000 \SystemRoot\System32\drivers\afd.sys
0x9C622000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9C612000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9B56E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9B4FE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9C602000 \SystemRoot\system32\DRIVERS\arp1394.sys
0x9C5F2000 \SystemRoot\System32\Drivers\Fips.SYS
0x9B4DA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9B3FF000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9B6A1000 \SystemRoot\System32\drivers\Dxapi.sys
0x9B800000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA780000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF2E8000 \SystemRoot\System32\igxpdx32.DLL
0xBF691000 \SystemRoot\System32\ATMFD.DLL
0xB8C1D000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA696000 \SystemRoot\System32\Drivers\DLADResM.SYS
0x9B3A6000 \SystemRoot\System32\Drivers\DLAIFS_M.SYS
0xBA408000 \SystemRoot\System32\Drivers\DLAOPIOM.SYS
0xA334B000 \SystemRoot\System32\Drivers\DLAPoolM.SYS
0xBA410000 \SystemRoot\System32\Drivers\DLABMFSM.SYS
0xBA418000 \SystemRoot\System32\Drivers\DLABOIOM.SYS
0x9B390000 \SystemRoot\System32\Drivers\DLAUDFAM.SYS
0x9B379000 \SystemRoot\System32\Drivers\DLAUDF_M.SYS
0x9D31F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9B2C4000 \SystemRoot\system32\drivers\wdmaud.sys
0xA1104000 \SystemRoot\system32\drivers\sysaudio.sys
0xA045F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9AEF3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9AE23000 \SystemRoot\system32\DRIVERS\srv.sys
0xA2CB4000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9FCE112-9C35-4D87-8298-1EF0D6B58735}\MpKsl784993ab.sys
0x9A772000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
844 C:\WINDOWS\system32\smss.exe
908 csrss.exe
936 C:\WINDOWS\system32\winlogon.exe
980 C:\WINDOWS\system32\services.exe
992 C:\WINDOWS\system32\lsass.exe
1172 C:\Program Files\Fingerprint Sensor\AtService.exe
1192 C:\WINDOWS\system32\svchost.exe
1260 svchost.exe
1300 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1336 C:\WINDOWS\system32\svchost.exe
1460 svchost.exe
1508 svchost.exe
1752 C:\WINDOWS\system32\WLTRYSVC.EXE
1796 C:\WINDOWS\system32\BCMWLTRY.EXE
1848 C:\WINDOWS\system32\spoolsv.exe
1880 C:\drivers\audio\R213367\stacsv.exe
420 C:\WINDOWS\explorer.exe
672 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
784 C:\Program Files\Microsoft Security Client\msseces.exe
808 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
816 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
1428 C:\Program Files\HP\Button Manager\BM.exe
356 svchost.exe
548 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
1220 C:\WINDOWS\system32\svchost.exe
1384 C:\Program Files\Java\jre6\bin\jqs.exe
1604 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2280 C:\WINDOWS\system32\svchost.exe
2360 C:\WINDOWS\system32\svchost.exe
2476 C:\WINDOWS\system32\svchost.exe
2604 C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
2628 C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
2892 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2988 C:\Program Files\TeamViewer\Version6\TeamViewer.exe
3032 C:\WINDOWS\system32\searchindexer.exe
3636 C:\Program Files\TeamViewer\Version6\tv_w32.exe
3688 C:\WINDOWS\system32\wuauclt.exe
3696 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2408 alg.exe
3296 C:\WINDOWS\system32\svchost.exe
3120 C:\WINDOWS\system32\searchprotocolhost.exe
3868 wmiprvse.exe
608 searchfilterhost.exe
408 C:\Documents and Settings\gutter helmet\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`05649600 (NTFS)

PhysicalDrive0 Model Number: ST9160314AS, Rev: 0003DEM1

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware.

As you will note, I have removed the quotes from the logs. Although it does make a nice presentation, it also takes up a lot of space. I also deleted the second MBR log> the first on was okay.
=-=============================
The system was infected by a rogue program named System Fix. It created 'error' messages and alerts to the user will think the system has multiple malware and system problems. It also uses an attribute to hide the files:

Download Unhide.exe and save to the desktop.

• Double-click on Unhide.exe icon to run the program.
• This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note: This does not remove the malware- only the attribute to hide the files and programs.
===========================================
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

----------------------
To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
=====================================
This malware frequently comes with the TDSS rootkit, so do the following:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================
All logs in next reply please.
========================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================