Solved XP Internet Security 2012

[Twoflower]

I have the dreaded XP Internet Security 2012 issue. I thought I had removed all traces of the files yesterday, however, I've been re-infected today.

Below are my log files. I did run RKill in order to access the internet.

Looks like I need to re-run Malwarebytes. I will do that and post the log

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-11 00:52:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541040G9SA00 rev.MB2IC60R
Running: dcp5t91h.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\pwqdraoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text mrxsmb.sys A88BE000 6 Bytes [00, C0, E9, 08, 0C, 00]
.text mrxsmb.sys A88BE007 46 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
.text mrxsmb.sys A88BE036 24 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text mrxsmb.sys A88BE04F 31 Bytes [68, F0, 9B, 8D, A8, 56, E8, ...]
.text mrxsmb.sys A88BE070 246 Bytes [53, 68, 9A, E0, 8B, A8, 57, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 019C000A
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 019D000A
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 019B000C
.text C:\WINDOWS\system32\SearchIndexer.exe[3668] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A6BA2D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A8955000-A8971000 (114688 bytes)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\rr.log 757 bytes
File C:\RRbackups\common\SAM 28672 bytes
File C:\RRbackups\common\secpolicy.dat 53248 bytes
File C:\RRbackups\common\settings.dat 28672 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 15600 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Admin 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\43e3a4a9826996aba5d7727553958fbf_f98f56a2-efd3-4206-9e4e-8df438541ae1 1279 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\6b29ae44e85efac3c72ff4d1865d73f1_f98f56a2-efd3-4206-9e4e-8df438541ae1 53 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\83aa4cc77f591dfc2374580bbd95f6ba_f98f56a2-efd3-4206-9e4e-8df438541ae1 45 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\8f71098770f72c7a67cd8f1151619865_f98f56a2-efd3-4206-9e4e-8df438541ae1 54 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\8d9e96a6-6040-41fe-9013-b5f97e847600 388 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005\3dbd08ca-ba50-4043-bf2a-bfa8816fccec 388 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005\8230652c-d1ce-4bb7-9db5-3284a4a0f023 388 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\d798298d-45cc-4c54-aec1-daa1a9828fe8 388 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\Certificates\60EA223EDC33A88A5A48C90EA53CEFB1555815D1 824 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\8d9e96a6-6040-41fe-9013-b5f97e847600 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\d798298d-45cc-4c54-aec1-daa1a9828fe8 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\PreloadInstall.ini 26 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a5bac492b8a12a9b6bf4a5681cc06a21_f98f56a2-efd3-4206-9e4e-8df438541ae1 888 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_f98f56a2-efd3-4206-9e4e-8df438541ae1 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6b29ae44e85efac3c72ff4d1865d73f1_f98f56a2-efd3-4206-9e4e-8df438541ae1 53 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_f98f56a2-efd3-4206-9e4e-8df438541ae1 45 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_f98f56a2-efd3-4206-9e4e-8df438541ae1 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_f98f56a2-efd3-4206-9e4e-8df438541ae1 893 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\8d9e96a6-6040-41fe-9013-b5f97e847600 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\d798298d-45cc-4c54-aec1-daa1a9828fe8 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\WINDOWS\$NtUninstallKB61679$\1929418354 0 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056 0 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\bckfg.tmp 862 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\cfg.ini 198 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\L 0 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\L\hvmonmrs 456320 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U 0 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\80000032.@ 77312 bytes

---- EOF - GMER 1.0.15 ----

 

[Twoflower]

dds

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Admin at 0:58:21 on 2012-01-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1320 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.lenovo.com/us/en/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\docume~1\admin\locals~1\temp\hbcd\malwarebytes\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\admin\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1316042540428
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\2hfy5ktp.default\
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl1db3a864;MpKsl1db3a864;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\MpKsl1db3a864.sys [2012-1-10 29904]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2011-9-14 22568]
S1 MpKsl06ccec8b;MpKsl06ccec8b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\mpksl06ccec8b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\MpKsl06ccec8b.sys [?]
S1 MpKsl0770ef97;MpKsl0770ef97;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\mpksl0770ef97.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\MpKsl0770ef97.sys [?]
S1 MpKsl11058a3f;MpKsl11058a3f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{72490e94-9b08-49ef-9d37-6555f00c03f0}\mpksl11058a3f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{72490e94-9b08-49ef-9d37-6555f00c03f0}\MpKsl11058a3f.sys [?]
S1 MpKsl2d36424c;MpKsl2d36424c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\mpksl2d36424c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\MpKsl2d36424c.sys [?]
S1 MpKsl301d87ec;MpKsl301d87ec;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\mpksl301d87ec.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\MpKsl301d87ec.sys [?]
S1 MpKsl434c6522;MpKsl434c6522;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f14657cd-591b-4405-82f4-d26bbc8cd8c1}\mpksl434c6522.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f14657cd-591b-4405-82f4-d26bbc8cd8c1}\MpKsl434c6522.sys [?]
S1 MpKslba92c545;MpKslba92c545;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\mpkslba92c545.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\MpKslba92c545.sys [?]
S1 MpKslc11f3675;MpKslc11f3675;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\mpkslc11f3675.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\MpKslc11f3675.sys [?]
S1 MpKslf526b596;MpKslf526b596;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\mpkslf526b596.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\MpKslf526b596.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\sasdifsv.sys --> c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\saskutil.sys --> c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-10 41272]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-4-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.exe=765
.
=============== Created Last 30 ================
.
2012-01-11 06:58:07 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\MpKsl1db3a864.sys
2012-01-11 06:58:01 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\offreg.dll
2012-01-11 06:15:19 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-11 06:09:30 374784 ----a-w- c:\documents and settings\admin\local settings\application data\xeq.exe
2012-01-10 08:40:27 -------- d-----w- c:\program files\ESET
2012-01-10 08:15:35 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\mpengine.dll
2012-01-10 07:18:58 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-10 07:15:23 -------- d-sha-r- C:\cmdcons
2012-01-10 07:13:28 98816 ----a-w- c:\windows\sed.exe
2012-01-10 07:13:28 518144 ----a-w- c:\windows\SWREG.exe
2012-01-10 07:13:28 256000 ----a-w- c:\windows\PEV.exe
2012-01-10 07:13:28 208896 ----a-w- c:\windows\MBR.exe
2012-01-10 07:13:11 -------- d-----w- C:\ComboFix
2012-01-10 07:05:49 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-10 07:05:47 -------- d-----w- c:\program files\Trend Micro
2012-01-10 06:14:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-10 06:05:40 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-10 05:01:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 03:01:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-10 03:01:54 -------- d-----w- c:\documents and settings\admin\application data\SUPERAntiSpyware.com
2011-12-19 03:28:17 -------- d-----w- c:\program files\SystemRequirementsLab
2011-12-19 03:17:29 -------- d-----w- C:\Intel
2011-12-19 02:46:19 -------- d-----w- c:\documents and settings\admin\application data\.minecraft
2011-12-19 02:45:49 -------- d-----w- c:\documents and settings\all users\application data\Ask
2011-12-14 02:01:40 -------- d-----w- C:\Ruby193
.
==================== Find3M ====================
.
2012-01-08 14:49:21 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 0:58:49.29 ===============

 

[Twoflower]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/14/2011 12:55:46 PM
System Uptime: 1/10/2012 10:57:17 PM (2 hours ago)
.
Motherboard: LENOVO | | 0657AJU
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | None | 1662/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 33 GiB total, 1.786 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP22: 12/5/2011 9:33:15 PM - Installed iTunes
RP23: 12/6/2011 7:32:21 AM - Software Distribution Service 3.0
RP24: 12/8/2011 6:10:23 PM - Software Distribution Service 3.0
RP25: 12/10/2011 7:33:26 AM - Software Distribution Service 3.0
RP26: 12/13/2011 4:14:13 PM - Software Distribution Service 3.0
RP27: 12/14/2011 4:21:15 PM - Software Distribution Service 3.0
RP28: 12/14/2011 4:31:30 PM - Software Distribution Service 3.0
RP29: 12/16/2011 4:56:29 PM - Software Distribution Service 3.0
RP30: 12/17/2011 4:58:49 PM - Software Distribution Service 3.0
RP31: 12/18/2011 6:41:06 PM - Software Distribution Service 3.0
RP32: 12/18/2011 6:44:49 PM - Installed Java(TM) 6 Update 30
RP33: 12/18/2011 6:45:42 PM - Installed Java Runtime Environment
RP34: 12/21/2011 11:09:39 PM - Software Distribution Service 3.0
RP35: 12/26/2011 6:07:20 PM - Software Distribution Service 3.0
RP36: 12/27/2011 6:39:58 PM - Software Distribution Service 3.0
RP37: 12/29/2011 8:43:17 AM - Software Distribution Service 3.0
RP38: 12/30/2011 5:01:00 PM - Software Distribution Service 3.0
RP39: 1/2/2012 6:25:17 PM - Software Distribution Service 3.0
RP40: 1/4/2012 7:15:14 AM - Software Distribution Service 3.0
RP41: 1/5/2012 7:04:07 AM - Software Distribution Service 3.0
RP42: 1/5/2012 4:34:23 PM - Software Distribution Service 3.0
RP43: 1/6/2012 5:37:09 PM - Software Distribution Service 3.0
RP44: 1/7/2012 6:12:48 PM - System Checkpoint
RP45: 1/7/2012 7:24:04 PM - Software Distribution Service 3.0
RP46: 1/9/2012 6:43:06 PM - Removed 8x8 Virtual Office for Salesforce
RP47: 1/9/2012 6:44:39 PM - Removed Ask Toolbar.
RP48: 1/9/2012 11:05:46 PM - Installed HiJackThis
RP49: 1/10/2012 12:15:23 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Access Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner
CutePDF Writer 2.8
Diskeeper Lite
Dropbox
ESET Online Scanner v3
Google Chrome
Google Talk (remove only)
Help Center
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 30
Java(TM) 7
LibreOffice 3.3
Malwarebytes' Anti-Malware version 1.51.2.1300
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 8.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
PC-Doctor 5 for Windows
Productivity Center Supplement for ThinkPad
psqlODBC
Rescue and Recovery
Ruby 1.9.3-p0
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SoundMAX
Spybot - Search & Destroy
System Migration Assistant
System Requirements Lab for Intel
System Update
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad TrackPoint Driver
ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
ThinkVantage Access Connections
ThinkVantage Away Manager
ThinkVantage Productivity Center
ThinkVantage System Update Toolbar Button for IE
ThinkVantage Technologies Welcome Message
TrackPoint Accessibility Features
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Wallpapers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
XP Themes
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 9:35:34 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 9:34:38 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 9:30:03 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 8:57:43 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 7:43:20 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 7:33:37 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
1/9/2012 7:25:57 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 7:01:56 PM, error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: The system cannot find the file specified.
1/9/2012 6:18:02 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 6:05:02 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/9/2012 6:04:58 PM, error: Service Control Manager [7023] - The Diskeeper service terminated with the following error: The service has not been started.
1/9/2012 6:01:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/9/2012 11:57:24 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
1/9/2012 11:47:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV
1/9/2012 11:18:33 PM, error: Service Control Manager [7034] - The tvtnetwk service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 11:18:32 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 11:18:32 PM, error: Service Control Manager [7031] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/9/2012 11:14:23 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
1/9/2012 10:02:57 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/10/2012 10:38:53 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================

 

[Twoflower]

Malwarebytes' Anti-Malware
www.malwarebytes.org

Database version:

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/11/2012 7:52:16 AM
mbam-log-2012-01-11 (07-52-16).txt

Scan type: Quick scan
Objects scanned: 189947
Time elapsed: 40 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

Welcome to TechSpot! I'll help you fins the entries for this malware.

I note you have run several cleaning scans. I'd like you to uninstall those programs and download another program from my links. These will include:

1. Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  2. MBR.exe
  3. If HJT has been set up in it's own Directory and is the most current version v2.0.4, you can keep it as I will have you run it later.
  4. If the Malwarebytes is the latest, Malwarebytes' Anti-Malware from from HERE you can keep it.
  
  And although you may have run some of the programs below, You need to follow the order and instructions below.You may not have all of the symptoms below, but if you have any other symptoms, please advise me.
  ========================================
  Please read through all of the instructions before you begin. It would be helpful to you if they were printed out.
  Rogue Internet Security 2012 Description:
  1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
  2. Clicking on any executable loads the malware
  3. Display fake security alerts on the infected computer.
  4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
  5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.
  To fix #5, you start here: Download a Registry file that will fix these changes.
  Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
  • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
  • Double click the FixNCR.reg file
  • You should now be able to run the .exe files.
  -------------------------------------
  To end the processes that belong to the rogue program:
  Please click on RKill
  • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
  • Double click on the iExplore.exe icon
  • Please be patient- it may take a bit.
  • The black Window will close when through and you can continue.
  Note: If you get a message that RKill is malware, ignore it> it's from the malware.
  =======================================
  Do not reboot your computer after running RKill as the malware programs will start again.
  ================================
  Update and rescan with Malwarebytes:
  • Select Perform Full Scan on the Scanner tab
  • Click on the Scan button.
  • When scan has finished, you will see this image:
    
    
  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
  ==============================
  This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
  To run the Eset Online Virus Scan:
  If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"
     
     If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
     [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
     [o] Double click on the desktop icon to run.
     [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
     
  4. Continue with the directions.
     
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
     
     
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
  NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
  ===============================
  Please leave all logs in next reply: TDSSKiller, rKill, Malwarebytes Full Scan, Eset Online Scan
  ================================
  My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
  If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
  =====================================

 

[Twoflower]

Thanks Bobbye below is the results of the scan. Please note that I wasn't able to uninstall ComboFix. I would received an error message stating that it was not able to find Combofix. Also, I did not see in the instructions to run TDSKiller so I do not have a log file for it.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/11/2012 at 8:38:36.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe


Rkill completed on 01/11/2012 at 8:38:41.


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: LENOVO-D227DC02 [administrator]

1/11/2012 8:42:06 AM
mbam-log-2012-01-11 (08-42-06).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 278132
Time elapsed: 1 hour(s), 5 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.4765355347349418.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.9013803349107921.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

(end)
=======================================================

Eset Online Scan

C:\WINDOWS\system32\drivers\mrxsmb.sys a variant of Win32/Rootkit.Kryptik.HD trojan
Operating memory multiple threats

 

[Twoflower]

Bump for feedback on info

Looking for feedback based on the scans that I ran. I still have a problem and not sure where I should go next.

Thanks,
Twoflower

 

[Bobbye]

Rogue Antispyware, Antivirus, Security, Home Security , Internet Security 2012

1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
2. Clicking on any executable loads the malware
3. Display fake security alerts on the infected computer.
4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

To fix #5, you start here: Download a Registry file that will fix these changes.
Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

• Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
• Double click the FixNCR.reg file
• You should now be able to run the .exe files.

-------------------------------------
To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
================================
Update and rescan with Malwarebytes:

• Select Perform Full Scan on the Scanner tab
• Click on the Scan button.
• When scan has finished, you will see this image:
  
  
• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

==============================
This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
================================
Don't bump again.

 

[Twoflower]

Log Files

Sorry for the bump. Below are the 3 log files.

Thanks
Twoflower

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/13/2012 at 19:21:42.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 01/13/2012 at 19:21:47.
=================================================
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: LENOVO-D227DC02 [administrator]

1/13/2012 7:24:15 PM
mbam-log-2012-01-13 (19-24-15).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 277329
Time elapsed: 46 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
======================================================

ESETScan

C:\WINDOWS\system32\drivers\mrxsmb.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\WINDOWS\Temp\1.4682851395858731E7.tmp a variant of Win32/Kryptik.YVK trojan
Operating memory multiple threats

 

[Bobbye]

Still getting active malware:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\WINDOWS\system32\drivers\mrxsmb.sys 
  C:\WINDOWS\Temp\1.4682851395858731E7.tmp 
  Operating memory multiple threats 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Do you have any of the original; XP Internet Security problems remaining?

 

[Twoflower]

OTMovit by Old Timer

I wasn't seeing the XP Internet Security 2012 alerts anymore. I was still seeing pop-ups when using Firefox for ads.

Thank you for all the help. After re-boot, the system is running much faster. Hopefully this was the end of it.

All processes killed
========== FILES ==========
C:\WINDOWS\system32\drivers\mrxsmb.sys moved successfully.
C:\WINDOWS\Temp\1.4682851395858731E7.tmp moved successfully.
File/Folder Operating memory multiple threats not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 12989185 bytes
->Temporary Internet Files folder emptied: 442460 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46042509 bytes
->Google Chrome cache emptied: 162318387 bytes
->Flash cache emptied: 1842 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 99050 bytes
->Temporary Internet Files folder emptied: 371370630 bytes
->Flash cache emptied: 38469 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21788698 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1737 bytes

Total Files Cleaned = 587.00 mb

 

[Twoflower]

More logs

After running OTMovit by Old Timer, everything seemed to be running without problems then the process went to 100%. Because of this, I ran Rkill, Malwarebytes, and ESETScan again. Below are the logs. I'm afraid I re-infected myself when I launched Firefox and it re-loaded the tabs that were previously open. I had not closed all the ads. (smacking myself upside the head)

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/15/2012 at 10:24:18.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 01/15/2012 at 10:24:21.
==================================================
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: LENOVO-D227DC02 [administrator]

1/15/2012 10:25:14 AM
mbam-log-2012-01-15 (10-25-14).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 266576
Time elapsed: 36 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
=================================================
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\27\227948db-7bcc88b7 a variant of Win32/Kryptik.YXO trojan

 

[Bobbye]

You're welcome! This may help with the pop ups in Firefox:

• Tracking Cookies
  Reset Cookie:
  [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
  [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
  I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
  AdBlock Plus
  Easy List
  [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  
• Do regular Maintenance
  Clean the temporary internet files often:
  [o] Temporary File Cleaner]
  or
  [o] ATF Cleaner by Atribune

================================
Per OTM> Total Files Cleaned = 587.00 mb you were still having a lot of files removed , so I encourage you to go ahead with number #2. Add to that: Disc Cleanup, Error Check and Defrag on a regular schedule.
===============================
If we have resolved the problem, you can remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
================================
Here are some additional tips to help keep the system clean:
Tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
   [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o] Replace the Host Files
   [o] Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
5. Restore Points:
   [o]See System Restore Guide
6. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.