I have run the combofix and have the log pasted below. I still can't access the internet - should I continue with RKill step above anyway? I think the internet connection went out when I installed Microsoft Security Essentials - I uninstalled it before running the combofix, but it's still not accessing. I wonder if I've downloaded too many things and they are conflicting? (I.e.malwarebytes, MSE, etc) and maybe haven't properly cleaned them off?
ComboFix 12-05-10.02 - User 05/10/2012 11:51:30.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1652 [GMT -5:00]
Running from: I:\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.FRED\GoToAssistDownloadHelper.exe
c:\documents and settings\All Users\Application Data\66hVpjGwhuIMhY
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\g2mdlhlpx.exe
c:\documents and settings\User\GoToAssistDownloadHelper.exe
c:\documents and settings\User\My Documents\~WRL0005.tmp
c:\documents and settings\User\WINDOWS
c:\windows\$NtUninstallKB19498$
c:\windows\$NtUninstallKB19498$\3062547991
c:\windows\$NtUninstallKB19498$\96094608\@
c:\windows\$NtUninstallKB19498$\96094608\cfg.ini
c:\windows\$NtUninstallKB19498$\96094608\Desktop.ini
c:\windows\$NtUninstallKB19498$\96094608\L\odetmngk
c:\windows\$NtUninstallKB19498$\96094608\oemid
c:\windows\$NtUninstallKB19498$\96094608\U\00000001.@
c:\windows\$NtUninstallKB19498$\96094608\U\00000002.@
c:\windows\$NtUninstallKB19498$\96094608\U\00000004.@
c:\windows\$NtUninstallKB19498$\96094608\U\80000000.@
c:\windows\$NtUninstallKB19498$\96094608\U\80000004.@
c:\windows\$NtUninstallKB19498$\96094608\U\80000032.@
c:\windows\$NtUninstallKB19498$\96094608\version
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\system32\dllcache\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-04-10 to 2012-05-10 )))))))))))))))))))))))))))))))
.
.
2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-08 16:29 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-07 20:10 . 2012-05-07 20:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-05-07 20:07 . 2012-01-31 12:44 237072 ---h--w- c:\windows\system32\MpSigStub.exe
2012-05-07 19:23 . 2012-05-07 19:36 -------- d-----w- C:\0791d0e706da230e5370ce063b270fa8
2012-04-30 18:28 . 2012-04-30 18:28 -------- d--h--w- c:\documents and settings\User\Application Data\Anvisoft
2012-04-30 18:27 . 2012-05-07 19:32 -------- d--h--w- c:\program files\Anvisoft
2012-04-30 15:03 . 2012-04-30 16:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\F4D55F3E00274A0700002205D151FC84
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 02:34 . 2011-11-07 14:23 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-14 19:01 . 2011-07-08 23:35 24376 ---ha-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-14 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-09 22:54 10792 ---ha-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/27/2011 1:11 PM 89792]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2012 11:29 AM 654408]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/27/2011 12:45 PM 150856]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [3/26/2011 9:09 PM 104960]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [3/26/2011 9:09 PM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2012 11:29 AM 22344]
S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [1/27/2011 1:11 PM 160608]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/27/2011 1:10 PM 57600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://
www.google.com/ig
mSearch Bar = hxxp://
www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://
www.google.com/ie
uSearchURL,(Default) = hxxp://
www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 172.16.113.1
TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086}: NameServer = 24.94.163.100
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-05-10 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-05-10 12:17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-10 17:17
.
Pre-Run: 105,501,523,968 bytes free
Post-Run: 108,364,926,976 bytes free
.
- - End Of File - - 958F02092A2B38005ECA42A8E9D018AC