TechSpot

Unable to receive Windows Updates or Visit AV sites

Solved
By jtoddhoward
Sep 19, 2010
  1. Good afternoon,

    Im having some serious issues when i try to visit any sites related to microsoft, AV, spyware cleaners, etc...

    I was able to d/l Malwarebytes by going to cnet and so far ive been able to keep it updated. Ive tried to visit several AV sites only to receive "Error Results" when trying to access the sites directly. I can d/l AVG via cnet but as soon as I start to install it tells me the file is corrupt.

    Attached to the post are logs for Malwarebytes, Combofix & Hijackthis.

    Please let me know if you have any suggestions.

    Thanks.
     

    Attached Files:

  2. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    Update.

    By opening cmd prompt and typing "net stop dnscache" it allows me to receive updates and visit AV sites. Im going to go ahead and update windows.
     
  3. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html

    Our instructions clearly say, NOT to run Combofix on your own and NOT making any changes to your computer until it's declared clean.
     
  4. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    My apologizes Broni.

    Should I restart dnscache before doing the scans?
     
  5. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    If you need to keep it disabled to download some tools, that's fine.
    I was mostly referring to Windows updates, which you're about to try.
    Leave them alone, for now.
     
  6. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4652

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/19/2010 7:41:00 PM
    mbam-log-2010-09-19 (19-41-00).txt

    Scan type: Quick scan
    Objects scanned: 161458
    Time elapsed: 11 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  7. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    For some reason, I cant paste the contents of the other scans so ive attached them.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 48,033   +271

  9. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 142):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF7B84000 \WINDOWS\system32\KDCOM.DLL
    0xF7A94000 \WINDOWS\system32\BOOTVID.dll
    0xF7555000 ACPI.sys
    0xF7B86000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7544000 pci.sys
    0xF7684000 isapnp.sys
    0xF7694000 MountMgr.sys
    0xF7525000 ftdisk.sys
    0xF7B88000 dmload.sys
    0xF74FF000 dmio.sys
    0xF7904000 PartMgr.sys
    0xF76A4000 VolSnap.sys
    0xF7448000 iastor.sys
    0xF76B4000 disk.sys
    0xF76C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7428000 fltmgr.sys
    0xF7416000 sr.sys
    0xF7400000 DRVMCDB.SYS
    0xF76D4000 PxHelp20.sys
    0xF73E9000 KSecDD.sys
    0xF735C000 Ntfs.sys
    0xF732F000 NDIS.sys
    0xF7315000 Mup.sys
    0xF7884000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF687F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF686B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF799C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6847000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF79A4000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF681F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF67EB000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
    0xF67C8000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF66C9000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xF6622000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF79AC000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF79B4000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF7894000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7BE4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xF78A4000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF78B4000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6556000 \SystemRoot\system32\DRIVERS\btkrnl.sys
    0xF7D76000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF78C4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B4C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF653F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF78D4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF78E4000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF79BC000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF652E000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF78F4000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF79C4000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF79CC000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF64FE000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF76F4000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF79D4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF79DC000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7BE6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF64A0000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7B68000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7B6C000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF55EB000 \SystemRoot\system32\drivers\btaudio.sys
    0xF55C7000 \SystemRoot\system32\drivers\portcls.sys
    0xF77C4000 \SystemRoot\system32\drivers\drmk.sys
    0xF77D4000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7764000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7C32000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA896C000 \SystemRoot\system32\drivers\sthda.sys
    0xF5673000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF5985000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7C48000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xA8709000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7C4A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF5663000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
    0xF565B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF5653000 \SystemRoot\System32\drivers\vga.sys
    0xF7B8A000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B8C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF564B000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xA8B32000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF5979000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA8518000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA84BF000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA837C000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xA832D000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA8CE3000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA8131000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA8105000 \SystemRoot\System32\drivers\afd.sys
    0xA8C83000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA80DA000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA806A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA802C000 \SystemRoot\System32\DRIVERS\klif.sys
    0xA8612000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7B94000 \??\C:\WINDOWS\System32\Drivers\Elmou.sys
    0xF7B96000 \??\C:\WINDOWS\System32\Drivers\Elmon.sys
    0xF7B98000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
    0xAA1C0000 \??\C:\WINDOWS\System32\Drivers\Elhid.sys
    0xA8B0A000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xA7D0B000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xA8159000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xA84A1000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xA7ECE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xA8495000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xA8491000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xA69E5000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0x9BC2E000 \SystemRoot\System32\Drivers\dump_iastor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA8563000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF798C000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C9F000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09B000 \SystemRoot\System32\atikvmag.dll
    0xBF0DD000 \SystemRoot\System32\ati3duag.dll
    0xBF37E000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0x9DC19000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xF7CA6000 \SystemRoot\System32\DLA\DLADResN.SYS
    0x99C18000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0xF7B74000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0xA5FFB000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0x9C052000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0x99C00000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0x99BEA000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0xA3389000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x99B95000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0x99A37000 \SystemRoot\system32\DRIVERS\css-dvp.sys
    0x99A13000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0x99982000 \SystemRoot\System32\Drivers\HTTP.sys
    0x9996D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF58A3000 \SystemRoot\system32\drivers\sysaudio.sys
    0x998D0000 \SystemRoot\system32\drivers\ctusfsyn.sys
    0x998A0000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
    0x99852000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
    0x996C0000 \SystemRoot\system32\DRIVERS\srv.sys
    0x997E2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA8825000 \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    0x987F5000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0x982DE000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 68):
    0 System Idle Process
    4 System
    484 C:\WINDOWS\system32\smss.exe
    564 csrss.exe
    592 C:\WINDOWS\system32\winlogon.exe
    636 C:\WINDOWS\system32\services.exe
    648 C:\WINDOWS\system32\lsass.exe
    856 C:\WINDOWS\system32\ati2evxx.exe
    872 C:\WINDOWS\system32\svchost.exe
    956 svchost.exe
    996 C:\WINDOWS\system32\svchost.exe
    1024 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    1044 C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    1084 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1112 svchost.exe
    1124 C:\Program Files\AVG\AVG9\avgrsx.exe
    1204 svchost.exe
    1292 C:\WINDOWS\system32\spoolsv.exe
    1360 svchost.exe
    1416 C:\WINDOWS\system32\netdde.exe
    1464 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    1500 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    1524 C:\Program Files\Bonjour\mDNSResponder.exe
    1532 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1544 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    1556 C:\WINDOWS\system32\CTSVCCDA.EXE
    1636 C:\Program Files\Common Files\Command Software\dvpapi.exe
    1652 C:\WINDOWS\ehome\ehrecvr.exe
    1720 C:\WINDOWS\ehome\ehSched.exe
    1856 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    1984 C:\WINDOWS\explorer.exe
    288 C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    476 C:\Program Files\Common Files\Motive\McciCMService.exe
    900 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1392 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    1792 C:\WINDOWS\system32\snmp.exe
    1896 svchost.exe
    1976 C:\WINDOWS\system32\svchost.exe
    2140 mcrdsvc.exe
    2728 C:\Program Files\AVG\AVG9\avgnsx.exe
    3124 C:\WINDOWS\system32\dllhost.exe
    3312 C:\WINDOWS\system32\wscntfy.exe
    3324 alg.exe
    3600 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    3612 C:\WINDOWS\stsystra.exe
    3632 C:\Program Files\ATT-SST\McciTrayApp.exe
    3640 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
    3656 C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    3692 C:\Program Files\BellSouthWCC\McciTrayApp.exe
    3712 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    3736 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
    3744 C:\WINDOWS\system32\dlcccoms.exe
    3820 C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe
    3852 C:\PROGRA~1\AVG\AVG9\avgtray.exe
    4024 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    4048 C:\Program Files\Digital Line Detect\DLG.exe
    4064 C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
    468 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    1684 C:\Program Files\SetPoint\SetPoint.exe
    1760 C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
    2276 C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    2368 C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    2252 C:\Program Files\Hp\Digital Imaging\bin\hpqgalry.exe
    2840 C:\Program Files\Internet Explorer\iexplore.exe
    2356 C:\Program Files\Internet Explorer\iexplore.exe
    516 C:\WINDOWS\system32\svchost.exe
    4616 C:\Program Files\Internet Explorer\iexplore.exe
    4228 C:\Documents and Settings\Lisa Bevins\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200KS-75PFB0, Rev: 21.00M21

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: BF118E4CFC2D7C7489A85AC7AD11D2A979F74824


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  10. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Your MBR seems to be infected...

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
  11. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    BRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fd

    Kernel Drivers (total 142):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF7B84000 \WINDOWS\system32\KDCOM.DLL
    0xF7A94000 \WINDOWS\system32\BOOTVID.dll
    0xF7555000 ACPI.sys
    0xF7B86000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7544000 pci.sys
    0xF7684000 isapnp.sys
    0xF7694000 MountMgr.sys
    0xF7525000 ftdisk.sys
    0xF7B88000 dmload.sys
    0xF74FF000 dmio.sys
    0xF7904000 PartMgr.sys
    0xF76A4000 VolSnap.sys
    0xF7448000 iastor.sys
    0xF76B4000 disk.sys
    0xF76C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7428000 fltmgr.sys
    0xF7416000 sr.sys
    0xF7400000 DRVMCDB.SYS
    0xF76D4000 PxHelp20.sys
    0xF73E9000 KSecDD.sys
    0xF735C000 Ntfs.sys
    0xF732F000 NDIS.sys
    0xF7315000 Mup.sys
    0xF65F3000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF61C4000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF61B0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6177000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xF7A0C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6153000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A14000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF612B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF60F7000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
    0xF60D4000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF5FD5000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xF5F2E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF7A1C000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7A24000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF65E3000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7BEC000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xF65D3000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF65C3000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF5E62000 \SystemRoot\system32\DRIVERS\btkrnl.sys
    0xF7CA4000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF65B3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF6D70000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5E4B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF65A3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF6593000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7A2C000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5E3A000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF6583000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7A34000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7A3C000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF5E0A000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF6573000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7A44000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7A4C000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7BF6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5DAC000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7B60000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7B64000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF4EE0000 \SystemRoot\system32\drivers\btaudio.sys
    0xF4EBC000 \SystemRoot\system32\drivers\portcls.sys
    0xF77D4000 \SystemRoot\system32\drivers\drmk.sys
    0xF77E4000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7724000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7C40000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA958F000 \SystemRoot\system32\drivers\sthda.sys
    0xF7934000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF51D8000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7B94000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7CC5000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B96000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF794C000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
    0xF7954000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF7994000 \SystemRoot\System32\drivers\vga.sys
    0xF7B98000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B9A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF4F76000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF4F6E000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF51CC000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA85FD000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA85A4000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA856A000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xA8544000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA952B000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA8377000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA8355000 \SystemRoot\System32\drivers\afd.sys
    0xA94FB000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA828A000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA821A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA81DC000 \SystemRoot\System32\DRIVERS\klif.sys
    0xF7754000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7BBA000 \??\C:\WINDOWS\System32\Drivers\Elmou.sys
    0xF7BBC000 \??\C:\WINDOWS\System32\Drivers\Elmon.sys
    0xF7BBE000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
    0xF72DC000 \??\C:\WINDOWS\System32\Drivers\Elhid.sys
    0xF4F3E000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xA7C19000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xA88DE000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xA8654000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xA82F5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xA864C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xA8648000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF7894000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0x9BFB3000 \SystemRoot\System32\Drivers\dump_iastor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF72D4000 \SystemRoot\System32\drivers\Dxapi.sys
    0x9C092000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D35000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09B000 \SystemRoot\System32\atikvmag.dll
    0xBF0DD000 \SystemRoot\System32\ati3duag.dll
    0xBF37E000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA6D73000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xF7D2D000 \SystemRoot\System32\DLA\DLADResN.SYS
    0x99F9D000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0xA863C000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0xA7F8E000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0xA7B9F000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0x99F85000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0x99F6F000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0xF7B78000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x99E6A000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF78A4000 \SystemRoot\system32\drivers\sysaudio.sys
    0x99E1C000 \SystemRoot\system32\drivers\kmixer.sys
    0x99DF5000 \SystemRoot\system32\drivers\ctusfsyn.sys
    0x99DC5000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
    0x99D9F000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
    0x99C01000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0x99ACB000 \SystemRoot\system32\DRIVERS\css-dvp.sys
    0x99AA7000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0x998FE000 \SystemRoot\System32\Drivers\HTTP.sys
    0x997BC000 \SystemRoot\system32\DRIVERS\srv.sys
    0x99520000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0x9CE74000 \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 65):
    0 System Idle Process
    4 System
    688 C:\WINDOWS\system32\smss.exe
    768 csrss.exe
    796 C:\WINDOWS\system32\winlogon.exe
    840 C:\WINDOWS\system32\services.exe
    852 C:\WINDOWS\system32\lsass.exe
    1068 C:\WINDOWS\system32\ati2evxx.exe
    1084 C:\WINDOWS\system32\svchost.exe
    1168 svchost.exe
    1264 C:\WINDOWS\system32\svchost.exe
    1288 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    1312 C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    1340 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1348 C:\Program Files\AVG\AVG9\avgrsx.exe
    1584 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1604 svchost.exe
    1684 svchost.exe
    1928 C:\WINDOWS\system32\spoolsv.exe
    452 C:\WINDOWS\explorer.exe
    560 svchost.exe
    672 C:\WINDOWS\system32\netdde.exe
    876 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    172 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    988 C:\Program Files\Bonjour\mDNSResponder.exe
    1128 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    1204 C:\WINDOWS\system32\CTSVCCDA.EXE
    1248 C:\Program Files\Common Files\Command Software\dvpapi.exe
    1436 C:\WINDOWS\ehome\ehrecvr.exe
    1620 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    1656 C:\WINDOWS\stsystra.exe
    1896 C:\WINDOWS\ehome\ehSched.exe
    1976 C:\Program Files\ATT-SST\McciTrayApp.exe
    2004 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
    2088 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    2104 C:\Program Files\BellSouthWCC\McciTrayApp.exe
    2140 C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    2184 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    2216 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
    2252 C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe
    2336 C:\Program Files\Common Files\Motive\McciCMService.exe
    2356 C:\Program Files\AVG\AVG9\avgtray.exe
    2472 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    2504 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    2552 C:\Program Files\Digital Line Detect\DLG.exe
    2600 C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
    2712 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    2724 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    2804 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    2828 C:\Program Files\SetPoint\SetPoint.exe
    2884 C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
    3040 C:\WINDOWS\system32\snmp.exe
    3048 C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    3132 C:\Program Files\AVG\AVG9\avgnsx.exe
    3140 svchost.exe
    3236 C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    3416 C:\WINDOWS\system32\svchost.exe
    3800 mcrdsvc.exe
    2648 C:\Program Files\Hp\Digital Imaging\bin\hpqgalry.exe
    3536 C:\WINDOWS\system32\dllhost.exe
    2408 C:\WINDOWS\system32\dlcccoms.exe
    1548 C:\WINDOWS\system32\wscntfy.exe
    2364 alg.exe
    4228 C:\WINDOWS\system32\svchost.exe
    4632 C:\Documents and Settings\Lisa Bevins\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200KS-75PFB0, Rev: 21.00M21

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
     
  12. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Looks good :)

    Navigate to C:\Qoobox and post ComboFix2.txt

    Also, re-run Combofix and post new log.
     
  13. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    ComboFix 10-09-17.04 - Lisa Bevins 09/19/2010 14:03:36.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.500 [GMT -4:00]
    Running from: c:\documents and settings\Lisa Bevins\Desktop\ComboFix.exe
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
    .

    2010-09-17 19:00 . 2010-09-17 19:06 -------- d-----w- C:\Fix
    2010-09-17 18:22 . 2010-09-17 18:22 -------- d-----w- c:\program files\Trend Micro
    2010-09-17 18:13 . 2010-09-17 19:11 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-09-17 18:11 . 2010-09-17 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-09-17 18:11 . 2010-09-17 18:11 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-09-17 17:46 . 2010-09-17 17:46 -------- d-----w- c:\documents and settings\Lisa Bevins\Local Settings\Application Data\Mozilla
    2010-09-15 22:27 . 2010-09-15 21:42 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
    2010-09-15 21:37 . 2010-09-17 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-09-15 15:11 . 2010-09-15 15:11 -------- d-----w- c:\windows\system32\vmm32
    2010-09-15 01:31 . 2010-09-15 01:31 -------- d-----w- c:\windows\wt
    2010-09-14 22:46 . 2010-09-14 22:46 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\Malwarebytes
    2010-09-14 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-14 22:46 . 2010-09-14 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-14 22:46 . 2010-09-14 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-14 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-14 21:43 . 2010-09-14 21:44 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Staging\wtf\start.exe
    2010-09-14 21:41 . 2010-09-14 21:41 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.2.30.1.dll
    2010-09-14 21:04 . 2010-09-14 21:04 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-09-14 21:03 . 2010-09-14 21:03 -------- d-----w- c:\windows\IIS Temporary Compressed Files
    2010-09-14 21:03 . 2010-09-14 21:03 -------- d-----w- c:\windows\system32\Logfiles
    2010-09-14 21:02 . 2010-09-14 21:02 -------- d-----w- c:\program files\Hewlett-Packard
    2010-09-14 21:01 . 2010-09-14 21:01 -------- d-----w- c:\program files\Common Files\xing shared
    2010-09-11 16:00 . 2010-09-11 16:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-09-10 23:34 . 2010-09-15 02:45 -------- d-----w- c:\program files\Optimizer Tool
    2010-09-10 03:17 . 2010-09-10 03:17 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\ParetoLogic
    2010-09-10 03:17 . 2010-09-10 03:17 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\DriverCure
    2010-08-31 14:53 . 2010-08-31 14:53 -------- d-----w- c:\program files\Common Files\HP
    2010-08-31 14:52 . 2010-08-31 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2010-08-31 14:52 . 2010-08-31 14:52 45056 ----a-r- c:\documents and settings\Lisa Bevins\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
    2010-08-31 03:11 . 2010-08-31 15:04 104200 ----a-w- c:\windows\hpoins04.dat
    2010-08-31 03:11 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
    2010-08-31 03:11 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
    2010-08-31 03:11 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
    2010-08-31 03:10 . 2004-06-22 15:05 180315 ----a-w- c:\windows\system32\hpzsnt10.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-19 18:08 . 2010-01-13 01:35 38436640 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-09-19 18:02 . 2009-09-14 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
    2010-09-19 17:55 . 2009-04-11 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
    2010-09-19 17:55 . 2009-04-11 19:22 484 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
    2010-09-19 16:25 . 2010-01-13 01:35 524576 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-09-19 16:25 . 2010-01-13 01:35 514172 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-09-19 16:25 . 2010-01-13 01:35 27284 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-09-17 19:17 . 2006-10-24 07:15 -------- d-----w- c:\program files\Dell
    2010-09-17 18:42 . 2010-09-17 18:42 200 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-09-17 18:32 . 2010-09-17 18:31 1016 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-09-15 02:41 . 2010-04-11 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-09-15 02:41 . 2010-04-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-14 21:05 . 2009-03-13 01:36 -------- d-----w- c:\program files\Common Files\Motive
    2010-09-14 21:03 . 2010-01-12 23:02 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-09-14 21:03 . 2010-01-12 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-09-14 21:03 . 2009-06-04 12:59 -------- d-----w- c:\program files\ATT-SST
    2010-09-14 21:02 . 2006-10-24 07:19 -------- d-----w- c:\program files\Common Files\Real
    2010-09-14 21:01 . 2010-06-23 21:19 -------- d-----w- c:\program files\real
    2010-09-14 21:01 . 2006-10-24 07:14 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-13 21:47 . 2009-04-11 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-09-13 21:45 . 2009-09-15 16:59 -------- d-----w- c:\program files\Dl_cats
    2010-09-12 01:40 . 2009-03-20 13:36 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\Motive
    2010-09-10 21:36 . 2010-09-19 02:58 293610 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    2010-08-31 14:52 . 2009-03-13 17:23 -------- d-----w- c:\program files\Hp
    2010-08-27 22:46 . 2010-03-13 15:49 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\Temp
    2010-07-30 19:21 . 2010-07-30 19:21 251 ----a-w- c:\program files\wt3d.ini
    2010-06-23 21:20 . 2010-06-23 21:20 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-06-23 21:20 . 2010-06-23 21:20 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-06-23 21:20 . 2010-06-23 21:20 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-06-23 21:20 . 2010-06-23 21:20 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-06-23 21:20 . 2010-06-23 21:20 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-06-23 21:19 . 2006-07-11 23:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-04-06 01:53 . 2009-03-26 15:30 88 -csh--r- c:\windows\system32\870834A103.sys
    2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj(2).dll
    2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj(3).dll
    2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj(4).dll
    2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj.dll
    2010-04-06 01:53 . 2009-03-26 15:30 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-17_19.03.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-19 17:55 . 2010-09-19 17:55 16384 c:\windows\temp\Perflib_Perfdata_9ac.dat
    + 2005-08-16 09:18 . 2010-09-17 19:08 94600 c:\windows\system32\perfc009.dat
    + 2005-08-16 09:18 . 2010-09-17 19:08 511626 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 28160]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
    "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]
    "BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
    "ATT_WCC"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Lisa Bevins\Start Menu\Programs\Startup\
    Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-21 385024]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-12 622653]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-24 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
    HP Image Zone Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
    SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-10-24 532480]
    YouTube Uploader for CASIO.lnk - c:\program files\CASIO\YouTube Uploader for CASIO\YStart.exe [2008-12-9 79808]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2006-04-27 15:30 53248 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9925:TCP"= 9925:TCP:pfmhpzib
    "9322:TCP"= 9322:TCP:EKDiscovery

    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 1:49 PM 284016]
    S2 aaxks;Shell Installer;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S2 jvrxz;Boot Manager;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S2 phsyhxf;Boot Support;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S2 ueyjfphy;Support Installer;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S2 uffshlud;Security Universal;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S2 xzdhtcb;Monitor Network;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S2 yopajzse;Shell Boot;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
    S3 curhdyq;curhdyq;\??\c:\windows\system32\0D.tmp --> c:\windows\system32\0D.tmp [?]
    S3 tbqzw;tbqzw;\??\c:\windows\system32\0A.tmp --> c:\windows\system32\0A.tmp [?]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    jvrxz
    xzdhtcb
    phsyhxf
    ueyjfphy
    uffshlud
    aaxks
    yopajzse
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-586396946-4029955019-800561833-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-09-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-586396946-4029955019-800561833-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://att.my.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    Trusted Zone: motive.com\patttbc.att
    Trusted Zone: musicmatch.com\online
    .

    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\curhdyq]
    "ImagePath"="\??\c:\windows\system32\0D.tmp"

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tbqzw]
    "ImagePath"="\??\c:\windows\system32\0A.tmp"

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aaxks]
    "ServiceDll"="c:\windows\system32\fndfj.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvrxz]
    "ServiceDll"="c:\windows\system32\fndfj.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\phsyhxf]
    "ServiceDll"="c:\windows\system32\fndfj.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ueyjfphy]
    "ServiceDll"="c:\windows\system32\fndfj.dll"

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uffshlud]
    "ServiceDll"="c:\windows\system32\fndfj.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xzdhtcb]
    "ServiceDll"="c:\windows\system32\fndfj.dll"

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yopajzse]
    "ServiceDll"="c:\windows\system32\fndfj.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(764)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll

    - - - - - - - > 'explorer.exe'(2384)
    c:\program files\Common Files\Motive\McciContextHook_DSR.dll
    c:\program files\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\OneX.DLL
    c:\windows\system32\eappprxy.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2010-09-19 14:09:59
    ComboFix-quarantined-files.txt 2010-09-19 18:09
    ComboFix2.txt 2010-09-17 19:06

    Pre-Run: 269,564,416,000 bytes free
    Post-Run: 269,550,792,704 bytes free

    Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 3944965808D5D7F20B3353D5D737BB3C
     
  14. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    new combofix log

    The previous post was Combofix2.txt and this one is the new log.
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\870834A103.sys
    c:\windows\system32\drivers\srwacimx.sys
    c:\windows\system32\0D.tmp
    c:\windows\system32\0A.tmp
    
    
    Folder::
    c:\documents and settings\All Users\Application Data\STOPzilla!
    
    
    Driver::
    srwacimx
    aaxks
    jvrxz
    phsyhxf
    ueyjfphy
    uffshlud
    xzdhtcb
    yopajzse
    curhdyq
    tbqzw
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\curhdyq]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tbqzw]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aaxks]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvrxz]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\phsyhxf]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ueyjfphy]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uffshlud]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xzdhtcb]
    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yopajzse]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  16. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    combofix.txt

    file is attached
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    It looks much better :)

    How is computer doing?

    Update and re-run MBAM. Post new log.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  18. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    Computing seems to be returning to normal. Will post the OTL logs in a few.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4660

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/20/2010 6:21:30 PM
    mbam-log-2010-09-20 (18-21-30).txt

    Scan type: Quick scan
    Objects scanned: 164431
    Time elapsed: 6 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  19. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    otl logs attached
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://support.att.net/sdccommon/download/tgctlcm.cab (Reg Error: Key error.)
      O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (Reg Error: Key error.)
      [2006/10/24 03:19:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  21. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    OTL log and Security Check log attached. Im 1 1/2 hours into the kaspersky scan. Will post when finished.
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [​IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button
     
  23. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Monday, September 20, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Monday, September 20, 2010 19:08:13
    Records in database: 4230659
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan statistics:
    Objects scanned: 98754
    Threats found: 1
    Infected objects found: 1
    Suspicious objects found: 0
    Scan duration: 02:02:08


    File name / Threat / Threats count
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP139\A0132792.DLL Infected: Packed.Win32.Krap.hc 1

    Selected area has been scanned.
     
  24. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    The above will be cleaned through our last step...


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  25. jtoddhoward

    jtoddhoward TS Rookie Topic Starter Posts: 20

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56504 bytes

    User: Lisa Bevins
    ->Temp folder emptied: 108668272 bytes
    ->Temporary Internet Files folder emptied: 6966620 bytes
    ->Java cache emptied: 143767 bytes
    ->Flash cache emptied: 456 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Roger Bevins
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 111.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Lisa Bevins
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: Roger Bevins

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.14.0 log created on 09202010_221258

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Lisa Bevins\Local Settings\Temp\hsperfdata_Lisa Bevins\4580 not found!
    File\Folder C:\Documents and Settings\Lisa Bevins\Local Settings\Temp\hsperfdata_Lisa Bevins\5156 not found!
    File\Folder C:\Documents and Settings\Lisa Bevins\Local Settings\Temp\Perflib_Perfdata_b48.dat not found!
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\S5L66FE2\ads[5].htm moved successfully.
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\S5L66FE2\ads[7].htm moved successfully.
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\S5L66FE2\topic153552-2[1].html moved successfully.
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\91OLE3Z0\pngbehavior[1].htc moved successfully.
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\2F4Y83DJ\info[1].htm moved successfully.
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\2F4Y83DJ\sh23[1].html moved successfully.
    C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    Registry entries deleted on Reboot...
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.