Solved Browser redirect virus

[lizabet]

My computer is being plagued by the browser redirect virus. I have Symantec Antivirus, but a full system scan came up clean. I've done a lot of Googling and a lot of entries came up about a tdssserv.sys Trojan, but I can't seem to find the file in Device Manager. I suspect that it might be a virus that's somehow affecting my router? But a hard reset didn't fix the problem either. Attached are the requested logs.

A few other things you might want to know: My PC is probably about 10 years old, currently running Windows XP. I am using the latest version of IE and Firefox, but both have been affected. I use Chrome on my Macbook (OS X v10.6), which is connected to my home router via wireless and has also been affected, but to a much lesser extent. I'm not exactly the most tech savvy, so any help will be appreciated, thanks!

PS. Yeah, I know I have a lot of junk installed, just never got around to deleting anything, haha.

 

[Broni]

Welcome aboard

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

=====================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[lizabet]

Here are the requested log files.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 126):
0x804D7000 \windows\system32\ntoskrnl.exe
0x806EC000 \windows\system32\hal.dll
0xF7987000 \windows\system32\KDCOM.DLL
0xF7897000 \windows\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \windows\System32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 PCIIde.sys
0xF7707000 \windows\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798D000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \windows\System32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF741F000 pxfsf.sys
0xF798F000 \windows\system32\DRIVERS\pxcom.SYS
0xF7408000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF786A000 NDIS.sys
0xF784F000 Mup.sys
0xF7537000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF77CF000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB9D47000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF77D7000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB9B77000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xB9B63000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF77DF000 \SystemRoot\system32\drivers\als4000.sys
0xB9B3F000 \SystemRoot\system32\drivers\portcls.sys
0xF7527000 \SystemRoot\system32\drivers\drmk.sys
0xB9B1C000 \SystemRoot\system32\drivers\ks.sys
0xB9AF9000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF77EF000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7517000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7933000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB9AE5000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7507000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF77F7000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7937000 \SystemRoot\system32\drivers\pfc.sys
0xF74F7000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA717000 \SystemRoot\System32\DRIVERS\redbook.sys
0xBA707000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA22A000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA6F7000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF793F000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9AB9000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA6E7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA6D7000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF77FF000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB9AA8000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA6C7000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7807000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF780F000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB99C6000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xBA697000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF772F000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79A1000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB996D000 \SystemRoot\System32\DRIVERS\update.sys
0xBA7F0000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xBA687000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7667000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79A3000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7747000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xB6845000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xB6823000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB680F000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xF791F000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF7697000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF774F000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xB9969000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xB9965000 \SystemRoot\system32\DRIVERS\pxrd.sys
0xF79C7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A6E000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C9000 \SystemRoot\System32\Drivers\Beep.SYS
0xF776F000 \SystemRoot\System32\drivers\vga.sys
0xF79CB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79CD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF777F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7787000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB995D000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB6391000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xB6339000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xB62FE000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\pxtdi.sys
0xB62D6000 \SystemRoot\System32\DRIVERS\netbt.sys
0xB62B4000 \SystemRoot\System32\drivers\afd.sys
0xB9A78000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB6252000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xB6231000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xB9A58000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xB6206000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB6197000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB9A38000 \SystemRoot\System32\Drivers\Fips.SYS
0xB6139000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB611C000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB9A08000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6104000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79D9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA7B0000 \SystemRoot\System32\drivers\Dxapi.sys
0xB992D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA234000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB5FD4000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB5B81000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB599D000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xB5988000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5BE4000 \SystemRoot\system32\drivers\sysaudio.sys
0xF79A7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB56BF000 \SystemRoot\System32\DRIVERS\srv.sys
0xB5246000 \SystemRoot\System32\Drivers\HTTP.sys
0xB53FF000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xAFC95000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100816.016\navex15.sys
0xAFC81000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100816.016\naveng.sys
0xAFC56000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
612 C:\WINDOWS\system32\smss.exe
676 csrss.exe
700 C:\WINDOWS\system32\winlogon.exe
748 C:\WINDOWS\system32\services.exe
760 C:\WINDOWS\system32\lsass.exe
920 C:\WINDOWS\system32\svchost.exe
1020 svchost.exe
1076 C:\WINDOWS\system32\svchost.exe
1220 svchost.exe
1364 svchost.exe
1372 C:\WINDOWS\explorer.exe
1448 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1516 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1616 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
1676 C:\WINDOWS\system32\spoolsv.exe
1852 svchost.exe
1940 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1980 C:\Program Files\Bonjour\mDNSResponder.exe
2000 C:\Program Files\Symantec AntiVirus\DefWatch.exe
140 C:\Program Files\Java\jre6\bin\jqs.exe
216 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
416 C:\WINDOWS\system32\svchost.exe
444 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
1184 C:\Program Files\Canon\CAL\CALMAIN.exe
1812 wmiprvse.exe
2192 alg.exe
2232 C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
2284 C:\Program Files\iTunes\iTunesHelper.exe
2296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2308 C:\PROGRA~1\SYMANT~1\VPTray.exe
2324 C:\Program Files\Messenger\msmsgs.exe
2340 C:\WINDOWS\system32\ctfmon.exe
2856 C:\Program Files\iPod\bin\iPodService.exe
3020 C:\WINDOWS\system32\WgaTray.exe
3104 C:\WINDOWS\system32\wuauclt.exe
764 C:\Program Files\Internet Explorer\iexplore.exe
3952 C:\Program Files\Internet Explorer\iexplore.exe
2604 C:\Program Files\Internet Explorer\iexplore.exe
408 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3160021A, Rev: 8.01

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[lizabet]

ComboFix 10-08-16.03 - Administrator 08/16/2010 21:19:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.704 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Prevx 2.0 *On-access scanning disabled* (Outdated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-16 18:51 . 2010-08-16 18:56 -------- d-----w- c:\windows\system32\wbem\Logs
2010-08-16 17:19 . 2010-08-16 17:19 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-08-16 11:20 . 2010-08-16 16:41 -------- d-----w- c:\windows\ie8updates
2010-08-16 11:09 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-16 11:09 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-16 11:09 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-16 05:03 . 2010-08-16 05:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-16 04:59 . 2010-08-16 04:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-16 03:02 . 2010-08-16 03:07 -------- dc-h--w- c:\windows\ie8
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-16 02:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 02:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 01:33 . 2010-05-17 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-08-17 01:31 . 2007-08-16 01:01 -------- d-----w- c:\program files\Prevx2
2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\program files\Viewpoint
2010-08-16 22:04 . 2009-03-26 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-16 18:31 . 2007-08-21 20:23 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-29 01:17 . 2007-12-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2010-06-29 01:17 . 2009-09-25 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\CameraWindowDC
2010-06-18 22:54 . 2007-08-16 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Prevx
2010-06-14 14:30 . 2007-07-21 19:10 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="c:\program files\Prevx2\PXConsole.exe" [2008-01-23 1997880]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1186698198\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [8/15/2007 9:02 PM 28040]
R3 als4k;Avance Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [8/11/2007 1:05 PM 25674]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:58 PM 102448]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe --> c:\program files\iWin Games\iWinTrusted.exe [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [8/15/2007 9:02 PM 107912]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uqzp8njt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-Aim6 - (no file)
AddRemove-AOL Explorer - c:\program files\Common Files\AOL\1186698198\ee\services\browser\ver1_1_1042\uninst.exe
AddRemove-Cooking Academy 2 World Cuisine_is1 - c:\program files\Cooking Academy 2 World Cuisine\ReflexiveArcade\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 21:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\

[HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FB13693-8AF5-DA47-CD45-EF95D01E4401}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaadbciabehlpffljcieajhhfkkhdh"=hex:6b,61,6a,62,6c,68,66,6d,6b,62,61,66,62,70,
6e,66,6f,6a,66,68,62,6e,00,00
"nagelakockidjelaobmjancliaim"=hex:6b,61,6a,62,6c,68,66,6d,6b,62,61,66,62,70,
6e,66,6f,6a,66,68,62,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2010-08-16 21:40:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 01:40

Pre-Run: 105,155,895,296 bytes free
Post-Run: 105,184,063,488 bytes free

- - End Of File - - 4C5B08B97E567442B41EA5AB93F5A50E

By the way, after being prompted to install the Recovery Console, I recieved an error message saying that the "Boot partition cannot be enumerated correctly." I was then asked if I would like to continue scanning, so I clicked yes. Not sure if that's an issue, just wanted to let you know.

 

[Broni]

Let's see, if you'll be able to install recovery console on next Combofix run.
Delete your Combofix file and download fresh one.

Then.....

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint


Driver::
iWinTrusted


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

RegNull::
[HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FB13693-8AF5-DA47-CD45-EF95D01E4401}*]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[lizabet]

I got the same error message when trying to install Recovery Console. Here is the log.

ComboFix 10-08-16.03 - Administrator 08/16/2010 22:15:02.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.697 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Prevx 2.0 *On-access scanning disabled* (Outdated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINTRUSTED
-------\Service_iWinTrusted


((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-16 18:51 . 2010-08-16 18:56 -------- d-----w- c:\windows\system32\wbem\Logs
2010-08-16 17:19 . 2010-08-16 17:19 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-08-16 11:20 . 2010-08-16 16:41 -------- d-----w- c:\windows\ie8updates
2010-08-16 11:09 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-16 11:09 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-16 11:09 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-16 05:03 . 2010-08-16 05:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-16 04:59 . 2010-08-16 04:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-16 03:02 . 2010-08-16 03:07 -------- dc-h--w- c:\windows\ie8
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-16 02:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 02:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 02:28 . 2010-05-17 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-08-17 02:27 . 2007-08-16 01:01 -------- d-----w- c:\program files\Prevx2
2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\program files\Viewpoint
2010-08-16 22:04 . 2009-03-26 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-16 18:31 . 2007-08-21 20:23 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-29 01:17 . 2007-12-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2010-06-29 01:17 . 2009-09-25 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\CameraWindowDC
2010-06-18 22:54 . 2007-08-16 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Prevx
2010-06-14 14:30 . 2007-07-21 19:10 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="c:\program files\Prevx2\PXConsole.exe" [2008-01-23 1997880]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1186698198\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [8/15/2007 9:02 PM 28040]
R3 als4k;Avance Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [8/11/2007 1:05 PM 25674]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:58 PM 102448]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [8/15/2007 9:02 PM 107912]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uqzp8njt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 22:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-16 22:33:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 02:32
ComboFix2.txt 2010-08-17 01:40

Pre-Run: 105,172,656,128 bytes free
Post-Run: 105,094,598,656 bytes free

- - End Of File - - BAD2B9F4E25049FB21682DA20E386E93

 

[Broni]

Things are looking better...

How is redirection?

 

[lizabet]

The redirection seems to have stopped now, thanks!!

 

[Broni]

Very good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[lizabet]

The OTL logs are a bit long, so they are attached.

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
  O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
  [4 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
  [1 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]
  [2008/12/24 17:51:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
  @Alternate Data Stream - 185 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:766442E5
  @Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E3E060F
  @Alternate Data Stream - 159 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CAE2C3A5
  @Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A953997
  @Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60516BC3
  @Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A724744F
  @Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5
  @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4DCBA8B
  @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:814B9485
  @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52067872
  @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9F50A55A
  @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B3A35EC
  @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:622D0DED
  @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4D066AD2
  @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E8BF029E
  @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D708EEF9
  @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5
  @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9AB338B9
  @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F
  @Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6C13E971
  @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9C012695
  @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:61AF2B29
  @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A93CCA6B
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
  "DisableMonitoring" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

======================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[lizabet]

Here are the requested logs.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\windows\System32\CONFIG.TMP deleted successfully.
C:\windows\System32\SETC1.tmp deleted successfully.
C:\windows\System32\SETC4.tmp deleted successfully.
C:\windows\System32\SETD3.tmp deleted successfully.
C:\Documents and Settings\Administrator\My Documents\~WRL0001.tmp deleted successfully.
C:\Documents and Settings\All Users\Application Data\iWin Games\opal folder moved successfully.
C:\Documents and Settings\All Users\Application Data\iWin Games\drm\data folder moved successfully.
C:\Documents and Settings\All Users\Application Data\iWin Games\drm folder moved successfully.
C:\Documents and Settings\All Users\Application Data\iWin Games folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:766442E5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9E3E060F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CAE2C3A5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9A953997 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:60516BC3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A724744F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B4DCBA8B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:814B9485 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:52067872 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9F50A55A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3B3A35EC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:622D0DED deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4D066AD2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E8BF029E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP708EEF9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9AB338B9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6C13E971 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9C012695 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:61AF2B29 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A93CCA6B deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 9251924 bytes
->Temporary Internet Files folder emptied: 1795195 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 47112219 bytes
->Flash cache emptied: 589 bytes

User: All Users

User: Default User

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 663 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 56.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.10.0 log created on 08162010_234742

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[lizabet]

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
Prevx 2.0 Agent
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.4
Korean Fonts Support For Adobe Reader 8
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

[lizabet]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 17, 2010 06:00:23
Records in database: 4135703
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 77314
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:51:57


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D980000.VBN Infected: Trojan.Win32.FraudPack.atha 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0003.VBN Infected: Trojan.Win32.FraudPack.atha 1

Selected area has been scanned.

 

[lizabet]

Sorry, having some trouble posting the other two logs. They are attached.

 

[Broni]

All looks good, except for Security Check reporting Norton being outdated.
Any reason for it?

========================================================================

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[lizabet]

Not sure why the security check reported my antivirus being outdated; I update it as often as I can. The Kaspersky scan found two Trojans, but they look like they're in quarantine, is that OK? My computer seems to be doing fine now, thanks so much for all your help!

 

[Broni]

Not sure why the security check reported my antivirus being outdated; I update it as often as I can

You should have it set to automatic updates (much more secure).
That's why Security Check said: On Access scanning disabled

they look like they're in quarantine, is that OK?

Perfectly fine...

Good job
Good luck and stay safe