TechSpot

Virus removal help needed

By kerry123
May 6, 2012
  1. Late last week we had a virus on our computer. I forget the name, but it was one that ran a scan that recommended you buy the software to fix all the problems. After looking online for help, I removed it through Add/Remove programs (I know that didn't take care of it). I wasn't able to follow other directions that I found online by starting the computer in safe mode, as trying to start the computer in safe mode took me to a blue screen. I tried to download malwarebytes antivirus, but keep getting an "access is denied" message (still getting that today.)

    I downloaded a program (I think Anvisoft) and ran a scan with that.

    I would like to follow the 5 step removal process, but cannot even get Malwarebytes to download. And I think another virus has crept on, today my internet keeps shutting down and about 20 system error messages popped on my screen, and another scan program "SMART Check" tried to run.

    Also, links through google are re-directing to ad sites.

    There is also a hard disk failure message and device initialization failure message on my screen now. Why do people do this? I appreciate any help - thank you.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! It sounds like you have a lot going on! One of them is rogue program that will give you messages telling you that you have critical system failures, that you have problems that need to be fixed and you need their program to fix them!!! You need to ignore those messages> don't click on them because each time you do, it may launch the malware again.

    The most serious mention you make is the possibility of possible hard drive failure. This may only be one of the fake messages created by the rogue malware. But the is a chance that the hard drive me really be going. It is important that you do NOT act at this time on any of these messages. I do not know enough now to suggest either.

    Please do not panic and start trying to run programs from someone else's instructions or from the internet. When I learn what you can and can't do on the system, I will be better able to guide you.


    But I cannot help you until I get more specific information.

    1.. Do you have an internet connection?
    2. Can you boot into normal Mode?
    3. Can you Boot into Safe Mode with Networking?
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    4. At what point do you get "access denied?" Does this happen when you try to open a program? Or does it happen when you try to run a program such as a scan?
    5. What operating system are you using?
    6. Are you the Administrator? Are you logging on using the Administrative account?
    7. Do you have a flash drive? Do you have another computer that is clean that you can download programs to?

    This is information gathering only right now. I can't direct you until I know what is available for you to do.
    ===============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. kerry123

    kerry123 TS Rookie Topic Starter

    1. Yes, I have an internet connection
    2. I can boot into normal mode
    3. I cannot boot into safe mode with networking; this is where a blue screen will pop up with the following codes: STOP 0x00000078 (0xXF789E524, 0xC0000034, 0x00000000, 0x00000000)
    4. I get "access is denied" when trying to download the malwarebytes antivirus; while it's trying to install, it will stop and give that error message each time. That's the only time I've seen that message that I recall.
    5. Windows XP operating system
    6. It's our personal computer, and there aren't separate users or accounts (is that what you need to know, am I understanding the question correctly?)
    7. Yes I have a flash drive and a laptop that is clean I can use and download programs too

    Thank you so much! Another note - we had a McAfee subscription that has expired; it keeps popping up that it's expired, and now a message just popped up that McAfee removed a trojan from our computer; would it do that with an expired subscription?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Letting you know that somehow some unauthorized users are posting on this thread. Only Broni and I can help in this forum. Please ignore and do not follow anyone's instructions but mine. Also, do not click on the site links they are leaving. They are bad sites. I'm removing as fast as I see them, but am warning you in case you see one of the posts before I've deleted it.
    =================================================
    If you can get into Normal Mode, then you can work from than. It's usually other way around, but we'll check that out later.
    ================================================
    STOP 0x00000078 can have several causes but the most frequent have to do with the boot function. So I am going to startup out a bit differently.
    ================================================
    The first thing you need to do is get a current, finctioning, updating antivirus program on the system. So eitheer update the McAfee subscription or download and install one of the following> they are all free and fully functioning:
    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    Please reboot the computer after you have handled the AV.
    =============================
    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Results should be one of the following:
    • OK (DOS/Win32 Boot code found)
      - MBR boot code is clean.
    • Unknown boot code
      - MBR boot code is modified. This practically corresponds to either
      an active bootkit infection, or a custom boot manager installed (such
      as GRUB).
    • Controlled by rootkit!
      - a bootkit with self-hiding capabilities is detected.
    =========================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===================================================
    I'd like to see these 2 logs first, then I may have you do back to do the preliminary scans.
     
  5. kerry123

    kerry123 TS Rookie Topic Starter

    I did ignore those other posts, thanks for confirming to ignore them.

    I was able to download microsoft security essentials and run a scan; but now I cannot connect to the internet to continue with the bootkit remover. I have rebooted a few times. Using a wireless router, the laptop works fine, I don't believe it's my connection.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, right now I don't have any information about what's running on your system. So let's start at the beginning instead of the middle!

    What happens when you try to connect to the internet? Message?Error? What?

    If you cannot determine why and don't have access, you can download the following to a flash drive from a clean computer. Then connect to the problem computer and run the scans:

    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
     
  7. kerry123

    kerry123 TS Rookie Topic Starter

    When I try to connect, I get the error that Internet Explorer cannot display the webpage. Thanks for the continued help. Malwarebytes and GMER logs are here, I'll insert the DDS logs in the next post

    Malwarebytes Log
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.04.04.08
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    User :: FRED [administrator]
    Protection: Enabled
    5/8/2012 11:31:05 AM
    mbam-log-2012-05-08 (11-31-05).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 251123
    Time elapsed: 16 minute(s), 23 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 6
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    Folders Detected: 1
    C:\Documents and Settings\User\Start Menu\Programs\Windows Recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.
    Files Detected: 2
    C:\Documents and Settings\User\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Documents and Settings\User\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
    (end)

    GMER Log
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-05-08 12:09:25
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250310AS rev.3.ADA
    Running: 1ste46ev.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pxtdypob.sys

    ---- System - GMER 1.0.15 ----
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE1484]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE1498]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    ---- Devices - GMER 1.0.15 ----
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    ---- EOF - GMER 1.0.15 ----

    I'm posting the DDS logs in the next post
     
  8. kerry123

    kerry123 TS Rookie Topic Starter

    Attach Log
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/8/2008 11:09:30 PM
    System Uptime: 5/8/2012 11:23:32 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0RY007
    Processor: Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz | Socket 775 | 1595/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 229 GiB total, 97.499 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
    Description: Photosmart C4700 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Photosmart C4700 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
    Description: HP LaserJet 4000 Series
    Device ID: ROOT\MULTIFUNCTION\0001
    Manufacturer: Hewlett-Packard
    Name: HP LaserJet 4000 Series
    PNP Device ID: ROOT\MULTIFUNCTION\0001
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1434: 2/9/2012 3:29:55 AM - System Checkpoint
    RP1435: 2/10/2012 4:29:55 AM - System Checkpoint
    RP1436: 2/11/2012 4:30:18 AM - System Checkpoint
    RP1437: 2/12/2012 5:30:18 AM - System Checkpoint
    RP1438: 2/13/2012 6:30:18 AM - System Checkpoint
    RP1439: 2/14/2012 7:49:03 AM - System Checkpoint
    RP1440: 2/15/2012 7:57:37 AM - System Checkpoint
    RP1441: 2/16/2012 8:44:02 AM - System Checkpoint
    RP1442: 2/17/2012 9:30:19 AM - System Checkpoint
    RP1443: 2/18/2012 9:31:29 AM - System Checkpoint
    RP1444: 2/19/2012 10:30:23 AM - System Checkpoint
    RP1445: 2/20/2012 11:00:19 AM - System Checkpoint
    RP1446: 2/20/2012 2:01:38 PM - Install LG UNITED Drivers
    RP1447: 2/21/2012 2:22:49 PM - System Checkpoint
    RP1448: 2/22/2012 2:45:00 PM - System Checkpoint
    RP1449: 2/23/2012 3:24:31 PM - System Checkpoint
    RP1450: 2/24/2012 4:21:58 PM - System Checkpoint
    RP1451: 2/25/2012 5:43:01 PM - System Checkpoint
    RP1452: 2/26/2012 6:50:20 PM - System Checkpoint
    RP1453: 2/27/2012 7:47:06 PM - System Checkpoint
    RP1454: 2/28/2012 10:18:27 PM - System Checkpoint
    RP1455: 2/29/2012 10:21:54 PM - System Checkpoint
    RP1456: 3/1/2012 11:21:57 PM - System Checkpoint
    RP1457: 3/4/2012 3:48:15 PM - System Checkpoint
    RP1458: 3/5/2012 4:15:24 PM - System Checkpoint
    RP1459: 3/6/2012 5:50:33 PM - System Checkpoint
    RP1460: 3/7/2012 7:13:55 PM - System Checkpoint
    RP1461: 3/8/2012 9:40:04 PM - System Checkpoint
    RP1462: 3/9/2012 10:14:20 PM - System Checkpoint
    RP1463: 3/11/2012 12:21:57 AM - System Checkpoint
    RP1464: 3/12/2012 1:14:42 AM - System Checkpoint
    RP1465: 3/13/2012 2:14:44 AM - System Checkpoint
    RP1466: 3/14/2012 3:14:45 AM - System Checkpoint
    RP1467: 3/15/2012 4:14:44 AM - System Checkpoint
    RP1468: 3/16/2012 5:29:39 AM - System Checkpoint
    RP1469: 3/17/2012 6:15:49 AM - System Checkpoint
    RP1470: 3/18/2012 7:14:44 AM - System Checkpoint
    RP1471: 3/19/2012 7:29:16 AM - System Checkpoint
    RP1472: 3/20/2012 9:23:15 AM - System Checkpoint
    RP1473: 3/21/2012 9:40:04 AM - System Checkpoint
    RP1474: 3/22/2012 10:16:08 AM - System Checkpoint
    RP1475: 3/23/2012 1:05:20 PM - System Checkpoint
    RP1476: 3/24/2012 1:15:02 PM - System Checkpoint
    RP1477: 3/25/2012 2:15:03 PM - System Checkpoint
    RP1478: 3/26/2012 2:38:02 PM - System Checkpoint
    RP1479: 3/27/2012 3:29:56 PM - System Checkpoint
    RP1480: 3/28/2012 5:18:24 PM - System Checkpoint
    RP1481: 3/29/2012 6:03:00 PM - System Checkpoint
    RP1482: 3/30/2012 10:25:59 PM - System Checkpoint
    RP1483: 3/31/2012 11:05:25 PM - System Checkpoint
    RP1484: 4/1/2012 11:15:24 PM - System Checkpoint
    RP1485: 4/3/2012 12:04:49 AM - System Checkpoint
    RP1486: 4/4/2012 12:16:49 AM - System Checkpoint
    RP1487: 4/5/2012 12:30:19 AM - System Checkpoint
    RP1488: 4/6/2012 1:04:50 AM - System Checkpoint
    RP1489: 4/6/2012 12:51:46 PM - Software Distribution Service 3.0
    RP1490: 4/8/2012 10:13:39 PM - System Checkpoint
    RP1491: 4/9/2012 10:53:46 PM - System Checkpoint
    RP1492: 4/10/2012 11:33:02 PM - System Checkpoint
    RP1493: 4/11/2012 11:49:57 PM - System Checkpoint
    RP1494: 4/13/2012 12:31:34 AM - System Checkpoint
    RP1495: 4/14/2012 1:31:34 AM - System Checkpoint
    RP1496: 4/15/2012 2:31:34 AM - System Checkpoint
    RP1497: 4/16/2012 2:32:49 AM - System Checkpoint
    RP1498: 4/17/2012 3:31:43 AM - System Checkpoint
    RP1499: 4/18/2012 4:31:43 AM - System Checkpoint
    RP1500: 4/19/2012 5:32:48 AM - System Checkpoint
    RP1501: 4/20/2012 7:46:39 AM - System Checkpoint
    RP1502: 4/21/2012 8:28:12 AM - System Checkpoint
    RP1503: 4/22/2012 9:28:26 AM - System Checkpoint
    RP1504: 4/23/2012 9:41:35 AM - System Checkpoint
    RP1505: 4/24/2012 9:47:43 AM - System Checkpoint
    RP1506: 4/25/2012 10:17:23 AM - System Checkpoint
    RP1507: 4/26/2012 10:53:15 AM - System Checkpoint
    RP1508: 4/27/2012 2:10:52 PM - System Checkpoint
    RP1509: 4/28/2012 10:03:15 PM - System Checkpoint
    RP1510: 4/29/2012 10:27:41 PM - System Checkpoint
    RP1511: 4/30/2012 11:04:31 PM - System Checkpoint
    RP1512: 5/2/2012 12:04:31 AM - System Checkpoint
    RP1513: 5/3/2012 1:04:31 AM - System Checkpoint
    RP1514: 5/4/2012 1:06:33 AM - System Checkpoint
    RP1515: 5/5/2012 2:07:37 AM - System Checkpoint
    RP1516: 5/6/2012 3:06:32 AM - System Checkpoint
    RP1517: 5/7/2012 3:35:53 AM - System Checkpoint
    RP1518: 5/7/2012 3:09:47 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player 11.6
    Amazon MP3 Downloader 1.0.3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Magic-I Visual Effects 2
    Arthur's Birthday
    Azada : Ancient Magic
    Azada® : In Libro Collector's Edition
    Big Fish Games: Game Manager
    Bonjour
    Browser Address Error Redirector
    BVHE-Beauty and the Beast Magical Ballroom
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window MC 5 for ZoomBrowser EX
    Canon i550
    Canon MovieEdit Task for ZoomBrowser EX
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX
    CCleaner
    CCScore
    Conexant D850 56K V.9x DFVc Modem
    Coupon Printer for Windows
    Crayola Magic 3D Coloring Book Sampler
    Dell DataSafe Online
    Dell Driver Reset Tool
    Dell Support Center (Support Software)
    Dell System Restore
    Digital Line Detect
    Documentation & Support Launcher
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSSONIC
    ESSTOOLS
    essvatgt
    EZface ActiveX 210
    Favorite Places
    fflink
    GameProtector 1.0
    Games, Music, & Photos Launcher
    Google Chrome
    Google Earth
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToAssist 8.0.0.480
    GoToMeeting 4.8.0.723
    Green Eggs and Ham
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Button Manager
    HP Driver Diagnostics
    HP Photo Creations
    HP Photosmart C4700 All-in-One Driver 14.0 Rel. 6
    HP Update
    ImageMixer 3 SE Ver.6 Transfer Utility
    ImageMixer 3 SE Ver.6 Video Tools
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections 12.3.31.0
    Internet Service Offers Launcher
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 29
    Jimmy Neutron vs. Jimmy Negatron DEMO
    JumpStart Kindergarten 2001
    JumpStart Toddlers 2001
    kgcbaby
    kgcbase
    kgchday
    kgchlwn
    kgcinvt
    kgckids
    kgcmove
    kgcvday
    Kid Pix Deluxe 3
    Kid Pix Deluxe 4
    Kit A Tree House of My Own
    KODAK EASYSHARE Gallery Upload ActiveX Control
    Kodak EasyShare software
    L&H TTS3000 Español
    LEGO Digital Designer
    Lernout & Hauspie TruVoice American English TTS Engine
    LG United Mobile Drivers
    Little Bear Kindergarten Thinking Adventures
    Malwarebytes Anti-Malware version 1.61.0.1400
    McAfee SecurityCenter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Windows XP Video Decoder Checkup Utility
    MobileMe Control Panel
    Modem Diagnostic Tool
    Monopoly Junior
    Move Media Player
    MovieEdit Task
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    netbrdg
    NetWaiting
    Network
    NickToons Racing
    Notebook Interactive Viewer
    OfotoXMI
    Photo Notifier and Animation Creator
    PhotoStitch
    Plants vs. Zombies
    PopCap Browser Plugin
    PowerDVD
    PS_AIO_06_C4700_SW_Min
    QuickTime
    RAW Image Task 2.1
    Reader Rabbit's Math Ages 6-9
    RealPlayer
    Realtek High Definition Audio Driver
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Safari
    Scan
    Scholastic's I SPY Fantasy
    Scholastic's I SPY Mystery
    Scholastic's I SPY School Days
    Scholastic's I SPY Spooky Mansion
    Scholastic's I SPY Treasure Hunt
    SearchAssist
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SFR
    SHASTA
    Sibelius Scorch (ActiveX Only)
    skin0001
    SKINXSDK
    Skype™ 5.3
    Sonic Activation Module
    Spell Checker For OE 2.1
    SpongeBob SquarePants - Battle for Bikini Bottom DEMO
    Spotify
    staticcr
    The Fairly OddParents Demo
    Thomas & Friends - The Great Festival Adventure
    Tonka Search and Rescue
    Toolbox
    tooltips
    Unity Web Player (All users)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VPRINTOL
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Support Tools
    Windows XP Service Pack 3
    WIRELESS
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/7/2012 9:41:57 PM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkNb because another computer on the network has the same name. The server could not start.
    5/7/2012 9:41:57 PM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkIpx because another computer on the network has the same name. The server could not start.
    5/7/2012 3:37:48 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
    5/7/2012 3:37:48 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
    5/7/2012 3:16:01 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    5/7/2012 2:59:07 PM, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
     
  9. kerry123

    kerry123 TS Rookie Topic Starter

    DDS Log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by User at 12:13:02 on 2012-05-08
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1315 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\wuauclt.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig
    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\kowalski\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {10000000-1000-1000-1000-100000000000} - hxxp://cdn.betteradvertising.com/ghostery/addons/ie/WebInstall/ghostery.cab
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.usps.gov/+CSCOL+/relayp.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
    DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
    DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    DPF: {705EC6D4-B138-4079-A307-EF13E40C2416} - hxxps://webvpn.usps.gov/CACHE/sdesktop/install/binaries/instweb.cab
    DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://webvpn.usps.gov/CACHE/sdesktop/install/binaries/instweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 172.16.113.1
    TCP: Interfaces\{3EAC37C0-2186-42CD-A9E0-6735F355A4BC} : DhcpNameServer = 172.16.113.1
    TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086} : NameServer = 24.94.163.100
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 464176]
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-27 89792]
    R1 MpKsl6dd162fa;MpKsl6dd162fa;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\MpKsl6dd162fa.sys [2012-5-8 29904]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-8 654408]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-27 150856]
    R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-I visual effects 2\uCamMonitor.exe [2011-3-26 104960]
    R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2011-3-26 14336]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-8 22344]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-27 180816]
    S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
    S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-27 136176]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-27 160608]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-27 57600]
    S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-27 136176]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-27 83856]
    S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-27 83856]
    .
    =============== Created Last 30 ================
    .
    2012-05-08 17:02:30 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\MpKsl6dd162fa.sys
    2012-05-08 16:29:58 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
    2012-05-08 16:29:34 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-05-08 16:29:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-08 16:29:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-05-08 16:24:27 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\offreg.dll
    2012-05-07 20:07:21 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\mpengine.dll
    2012-05-07 20:07:20 237072 ---h--w- c:\windows\system32\MpSigStub.exe
    2012-05-07 20:02:34 -------- d--h--w- c:\program files\Microsoft Security Client
    2012-05-07 19:23:16 -------- d--h--w- C:\0791d0e706da230e5370ce063b270fa8
    2012-04-30 18:28:21 -------- d--h--w- c:\documents and settings\user\application data\Anvisoft
    2012-04-30 18:27:32 -------- d--h--w- c:\program files\Anvisoft
    2012-04-30 15:03:55 -------- d--h--w- c:\documents and settings\all users\application data\F4D55F3E00274A0700002205D151FC84
    .
    ==================== Find3M ====================
    .
    2012-05-08 02:34:19 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-03-21 01:44:12 171064 ---ha-w- c:\windows\system32\drivers\MpFilter.sys
    .
    ============= FINISH: 12:13:57.26 ===============
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks like you have a rogue program, called Windows Recovery. This malware is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer and you need their program to fix it.
    • It will display numerous error messages when you attempt to launch programs or delete files.
    • It will scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. so-called defragment tool.
    • Folder, icons, programs may appear to be missing their content.
    • It may terminate a program you launch stating that "the program or hard drive is corrupted".
    • The messages that you will see when you attempt run a program are:
      [o]Hard Drive Failure
      [o]System or Critical Error
      [o]Closing these messages will then bring 'notice' of Windows Recovery Diagnostics and/or Fix Disk
    • When running it will also display fake alerts from your Windows taskbar of various "Critical Errors" and other fake warnings.
    • . The malware may prevent downloads directly to the infected computer. In that case, programs can be loaded onto a flash drive, then transferred to the problem system to run.
    --------------------------

    1. If your task manager is disabled,copy and run this command> Press Windows+R key> type cmd> OK
    Code:
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
    Press Enter

    2. If you're desktop is blank and unable to right click on it ,run this command> Press Windows+R key> type cmd> OK
    Code:
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop[/b]
    Press Enter
    -------------------------------------
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      [o] Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      [o] Note: No query will be made if the Recovery Console is already on the system.
    • .Before you run the Combofix scan, please disable any security software you have running.
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    --------------------------------------------------------------

    (Note: If programs, icons, files, etc. appear to be missing, you can run #3 first, then continue with RKill)
    [/LIST]
    1. Kill Malware process: Run RKill> Download from iExplore.exe download linkand save to the desktop/
    • [o] Double click the iExplore.exe icon to run
    • [o] If you cannot find the icon, do as follows:
      [o] Win XP: Click on Start> Run> type in %userprofile%\desktop\iexplore.exe> OK
      [o] Win Vista/Win 7: Click on Start> type in Search Field %userprofile%\desktop\iexplore.exe> Enter
    [o] Be patient> a black windows will automatically close when finished
    • [o] If you get a message that RKill is an infection, [leave the warning and run RKill again.
      Important: Do not reboot your computer after running RKill as the malware programs will start again.
    2. If you were able to run Malwarebytes, update it and rescan using Perform Full Scan this time.
    3. If you have missing icons, Programs, files, run the following:
    [o]Download Unhide.exe and save to the desktop
    [o] Double-click on Unhide.exe icon to run the program
    [o] This program will remove the +H, or hidden, attribute from all the files on your hard drives.Note: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue

    4. Please update the following:This malware frequently uses an exploit in and outdated program:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.

    Adobe Reader> Current is vX(10.xx)> Adobe Reader Update
    Java(TM) > Current is v6u32> Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    --------------------------------
    I've been working on a formatting problem for the last hour. I don't know what the problem was but I think I fixed it all. If something doesn't make sense, just ask me bout it.
     
  11. kerry123

    kerry123 TS Rookie Topic Starter

    I have run the combofix and have the log pasted below. I still can't access the internet - should I continue with RKill step above anyway? I think the internet connection went out when I installed Microsoft Security Essentials - I uninstalled it before running the combofix, but it's still not accessing. I wonder if I've downloaded too many things and they are conflicting? (I.e.malwarebytes, MSE, etc) and maybe haven't properly cleaned them off?

    ComboFix 12-05-10.02 - User 05/10/2012 11:51:30.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1652 [GMT -5:00]
    Running from: I:\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator.FRED\GoToAssistDownloadHelper.exe
    c:\documents and settings\All Users\Application Data\66hVpjGwhuIMhY
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\User\g2mdlhlpx.exe
    c:\documents and settings\User\GoToAssistDownloadHelper.exe
    c:\documents and settings\User\My Documents\~WRL0005.tmp
    c:\documents and settings\User\WINDOWS
    c:\windows\$NtUninstallKB19498$
    c:\windows\$NtUninstallKB19498$\3062547991
    c:\windows\$NtUninstallKB19498$\96094608\@
    c:\windows\$NtUninstallKB19498$\96094608\cfg.ini
    c:\windows\$NtUninstallKB19498$\96094608\Desktop.ini
    c:\windows\$NtUninstallKB19498$\96094608\L\odetmngk
    c:\windows\$NtUninstallKB19498$\96094608\oemid
    c:\windows\$NtUninstallKB19498$\96094608\U\00000001.@
    c:\windows\$NtUninstallKB19498$\96094608\U\00000002.@
    c:\windows\$NtUninstallKB19498$\96094608\U\00000004.@
    c:\windows\$NtUninstallKB19498$\96094608\U\80000000.@
    c:\windows\$NtUninstallKB19498$\96094608\U\80000004.@
    c:\windows\$NtUninstallKB19498$\96094608\U\80000032.@
    c:\windows\$NtUninstallKB19498$\96094608\version
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    .
    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe
    .
    c:\windows\system32\drivers\netbt.sys was missing
    Restored copy from - c:\windows\system32\dllcache\netbt.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-10 to 2012-05-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
    2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
    2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
    2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-05-08 16:29 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-07 20:10 . 2012-05-07 20:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-05-07 20:07 . 2012-01-31 12:44 237072 ---h--w- c:\windows\system32\MpSigStub.exe
    2012-05-07 19:23 . 2012-05-07 19:36 -------- d-----w- C:\0791d0e706da230e5370ce063b270fa8
    2012-04-30 18:28 . 2012-04-30 18:28 -------- d--h--w- c:\documents and settings\User\Application Data\Anvisoft
    2012-04-30 18:27 . 2012-05-07 19:32 -------- d--h--w- c:\program files\Anvisoft
    2012-04-30 15:03 . 2012-04-30 16:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\F4D55F3E00274A0700002205D151FC84
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 02:34 . 2011-11-07 14:23 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-04-14 19:01 . 2011-07-08 23:35 24376 ---ha-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-14 39408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-02-09 22:54 10792 ---ha-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/27/2011 1:11 PM 89792]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2012 11:29 AM 654408]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/27/2011 12:45 PM 150856]
    R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [3/26/2011 9:09 PM 104960]
    R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [3/26/2011 9:09 PM 14336]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2012 11:29 AM 22344]
    S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
    S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [1/27/2011 1:11 PM 160608]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/27/2011 1:10 PM 57600]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
    S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
    .
    2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
    .
    2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
    .
    2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006Core.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
    .
    2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006UA.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    TCP: DhcpNameServer = 172.16.113.1
    TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086}: NameServer = 24.94.163.100
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-10 12:05
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(576)
    c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2460)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-10 12:17:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-10 17:17
    .
    Pre-Run: 105,501,523,968 bytes free
    Post-Run: 108,364,926,976 bytes free
    .
    - - End Of File - - 958F02092A2B38005ECA42A8E9D018AC
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    One of the necessary drivers with found to be corrupt and was replaced by a clean file: netbt.sys.
    There is another driver that frequently is corrupted by the same malware: afd.sys..So let's be proactive and see if we can get you back on the internet:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      afd.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =============================================
    Then go on to the following check for other processes that might not be running:

    Please download Farbar Service Scanner
    • Check ALL boxes to include all files.
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
    ========================================
    Please leave both logs in you next reply.

    In the meantime, I am checking Combofix for any processes to be removed.
     
  13. kerry123

    kerry123 TS Rookie Topic Starter

    I'm thankful for detailed directions!


    Edit: Removing excess spacing

    SystemLook 30.07.11 by jpshortstuff
    Log created at 10:39 on 11/05/2012 by User
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "afd.*"

    C:\i386\afd.sys --a--c- 138496 bytes[14:48 10/02/2008][10:00 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
    C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys--a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
    C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a--c- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
    C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a--c- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
    C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a--c- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
    C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys --a--c- 138368 bytes [18:58 15/10/2008] [09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
    C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys --a--c- 138496 bytes [18:58 15/10/2008] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
    C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a--c- 138496 bytes [18:58 15/10/2008] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
    C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c- 138368 bytes [03:13 18/10/2008] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
    C:\WINDOWS\$NtUninstallKB2509553$\afd.sys-----c- 138496 bytes [13:15 14/04/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
    C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138112 bytes [03:25 18/10/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
    C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys -----c- 138496 bytes [08:00 10/07/2008] [10:00 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
    C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138496 bytes [03:26 18/10/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
    C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys -----c- 138368 bytes [08:03 16/10/2008] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
    C:\WINDOWS\ServicePackFiles\i386\afd.sys -----c- 138112 bytes [01:00 19/08/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
    C:\WINDOWS\system32\dllcache\afd.sys --a---- 138496 bytes [17:50 10/08/2004] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
    C:\WINDOWS\system32\drivers\afd.sys--a---- 138496 bytes [17:50 10/08/2004] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37

    -= EOF =-

    Farbar Service Scanner Version: 11-05-2012
    Ran by User (administrator) on 11-05-2012 at 10:49:56
    Running from "C:\Documents and Settings\User\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error: Google IP is unreachable
    Attempt to access Yahoo IP returned error: Yahoo IP is unreachable

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys
    [2004-08-10 12:50] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    Gpc(6) IPSec(4) mfetdi2k(9) NetBT(13) NwlnkIpx(11) NwlnkNb(12) PSched(7) Tcpip(3) Tcpip6(10)
    0x0C0000000400000001000000020000000300000009000000050000000600000007000000080000000A0000000B0000000C000000
    IpSec Tag value is correct.
    **** End of log ****
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Kerry, I edited out what appeared to be double, double spacing (4 lines) in the System Look scan. The log is okay otherwise and we got a headstart on the file I though would come up and replaced it. I'm hoping that after you run the following script in Combofix that the internet connection will be restored
    -----------------------------------------------

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Clearjavacache::
     
    FCopy::
    C:\WINDOWS\system32\dllcache\afd.sys | C:\WINDOWS\system32\Drivers\afd.sys
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Anvisoft: Besides protecting PC from malware infection, it optimizes and speeds up PC in several aspects. I read about this program on several suted. The site is in India and it appears there is no database for updatw. I think you can do better that this. I'll give some recommendations.
    =====================
    I'd like for you to run the following:
    [*] Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    [*]Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    [*] Double click on TDSSKiller.exe. to run the scan
    [*] When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    [*] Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    [*] After clicking Next, the utility applies selected actions and outputs the result.Please include in next reply
    [*] A reboot is required after disinfection.[/list]
    ====================================
    Reboot the Computer.

    Please see what the internet status connecting is and let me know. Let me also know is there are any remaining problems.
    Include the new log from OTM and ComboFix, TDSSKiller
     
  15. kerry123

    kerry123 TS Rookie Topic Starter

    Still no internet. The TDSSKiller didn't find anything, either. Below is the log from ComboFix.


    ComboFix 12-05-10.02 - User 05/12/2012 23:36:53.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1308 [GMT -5:00]
    Running from: I:\ComboFix.exe
    Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\System32\NCS2DMIX.dll
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\dllcache\afd.sys --> c:\windows\system32\Drivers\afd.sys
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-13 to 2012-05-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
    2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
    2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
    2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-05-08 16:29 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-07 20:10 . 2012-05-07 20:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-05-07 20:07 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-07 19:23 . 2012-05-07 19:36 -------- d-----w- C:\0791d0e706da230e5370ce063b270fa8
    2012-04-30 18:28 . 2012-04-30 18:28 -------- d-----w- c:\documents and settings\User\Application Data\Anvisoft
    2012-04-30 18:27 . 2012-05-07 19:32 -------- d-----w- c:\program files\Anvisoft
    2012-04-30 15:03 . 2012-04-30 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F3E00274A0700002205D151FC84
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 02:34 . 2011-11-07 14:23 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-04-14 19:01 . 2011-07-08 23:35 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-05-10_17.05.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-05-13 04:44 . 2012-05-13 04:44 16384 c:\windows\Temp\Perflib_Perfdata_224.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-14 39408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-02-09 22:54 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/27/2011 1:11 PM 89792]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2012 11:29 AM 654408]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/27/2011 12:45 PM 150856]
    R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [3/26/2011 9:09 PM 104960]
    R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [3/26/2011 9:09 PM 14336]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2012 11:29 AM 22344]
    S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
    S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [1/27/2011 1:11 PM 160608]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/27/2011 1:10 PM 57600]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
    S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
    .
    2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
    .
    2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
    .
    2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006Core.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
    .
    2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006UA.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086}: NameServer = 24.94.163.100
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-12 23:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(684)
    c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
    .
    - - - - - - - > 'explorer.exe'(3540)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-12 23:49:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-13 04:49
    ComboFix2.txt 2012-05-10 17:17
    .
    Pre-Run: 108,358,889,472 bytes free
    Post-Run: 108,540,825,600 bytes free
    .
    - - End Of File - - DF97EEEE04FE736B93700E63BAC3A8C3
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please remove both of these from the Trusted Zone. The security is lower in the zone which make the system vulnerable:
    Trusted Zone: internet
    Trusted Zone: mcafee.com

    You have put the entire internet in the Trusted Zone. That mean all the settings you made for secure surfing are being overridden!

    Control Panel> Internet Options> Security tab> Trusted Sites> Sites> Highlight and remove any domain in this zone. Nothing needs to be in this zone! Click on Apply> OK when finished.
    =================================================

    What have you downloaded other than what I asked you to?

    The McAfee subscription expired, but it's still working- correct?
    You put Anvisoft on the system. It is still on the system- Please uninstall it.
    Did you actually do the full uninstall of MSE? Or did you just delete some files for it? Why do you thin MSE caused the lost of connection?

    Please describe exactly what happens when you try to access the internet>> does a page load with a message in it? What is the message> Specifically
     
  17. kerry123

    kerry123 TS Rookie Topic Starter

    This is where I feel I'm going to sound like I don't know what I'm doing....I uninstalled McAfee since it was expired and we weren't going to renew it anyway, we were not happy with it. I put the AnviSoft on the computer before finding this forum - I was searching for solutions when the virus started so that was a recent addition; I just didn't know if that and the MSE combined might have conflicted. I was thinking my internet access had to do with MSE becuase it was after I downloaded it that I didn't have internet access anymore. I haven't downloaded anything else since the start of this thread, beyond instructions within the thread. I uninstalled MSE properly through Add or Remove Programs (at least I think I did it properly!)

    For Anvisoft, it's not showing up under my add/remove program list - but I can see there are still files on my computer when I search for it. Should I just delete those files? I can't locate an uninstall option - it looks like what is left on my computer are the files that were quarantined.

    When I try to connect, it tries to pull up my home page, then it gives the message "Internet Explorer cannot display the webpage" then goes on to say "What you can try: Diagnose Connection Problems" which we have tried but it refers us to our modem/router manual. We have tried shutting down the computers, router, modem then back up, but it didn't help the computer; the laptop sitll works fine for connection, and other devices work fine through the wireless router, it's just the personal computer that's still down.

    Sorry for the long entry...I removed the entries from the trusted sites area.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download Farbar Service Scanner
    • Check ALL boxes to include all files.
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
     
  19. kerry123

    kerry123 TS Rookie Topic Starter

    Farbar Service Scanner Version: 11-05-2012
    Ran by User (administrator) on 16-05-2012 at 20:01:28
    Running from "C:\Documents and Settings\User\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error: Google IP is unreachable
    Attempt to access Yahoo IP returned error: Yahoo IP is unreachable

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys
    [2004-08-10 12:50] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    Gpc(6) IPSec(4) mfetdi2k(9) NetBT(13) NwlnkIpx(11) NwlnkNb(12) PSched(7) Tcpip(3) Tcpip6(10)
    0x0C0000000400000001000000020000000300000009000000050000000600000007000000080000000A0000000B0000000C000000
    IpSec Tag value is correct.
    **** End of log ****
     
  20. kerry123

    kerry123 TS Rookie Topic Starter

    Everything is working! The computer was set for a static IP address, instead of automatically obtaining one. We can now connect to the internet and everything is cleaned up. I want to thank you for all your help - it's amazing that you take time to help people with this, we appreciate it so much!

    Can you recommend virus protection, etc, that we should have in place? That's my last question - thank you!
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I haven't been well and am far behind.

    Will you please repeat the Fabar Service scan so I can make sure all is well.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...