B00kWyrm
Posts: 992 +39
Hello Bobbye, Broni, et al
A friend approached me for help with a computer that had been basically bricked by xp security 2012. They are not "savvy" and feared not being able to follow directions. In order to help them regain some semblance of normal function, and gain access to the internet, I found Grinler's tutorial at Bleeping, and downloaded the tools to my own computer. I needed to run them in safe mode first, then reran them in Normal mode. This included RKILL and Kaspersky's TDSS Killer, as well as MBAM. The computer seems to be back to healthy, so started proceding with some updates (SP2 ->SP3, Java was out of Date, Adobe not successfully updating, some automatic updates keep repeating eg - KB2416447, and some refuse to complete - eg Office 2003). Still, knowing that malware is not always this "simple", thought I should get a health check from you, my trusted professionals in the field.
SO... here are the logs from my friends computer...
=====
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-06 11:20:04
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: 7tegdzu6.exe; Driver: C:\DOCUME~1\BECKIP~1\LOCALS~1\Temp\kfliipod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
=====
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Becki Price at 11:36:46 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1189 [GMT -5:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\CTHELPER.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: hpBHO Class: {abd3b5e1-b268-407b-a150-2641dab8d898} - c:\program files\common files\homepage protection\HomepageProtection.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: MapQuest Toolbar Loader: {e34f0e11-ab79-487c-9773-36c594dff5aa} - c:\program files\mapquest toolbar\mqtb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: MapQuest Toolbar: {57abf0dd-577c-4ec6-855c-8dc29768c2b0} - c:\program files\mapquest toolbar\mqtb.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [monitr32] c:\program files\canon\multipass4\monitr32.exe
mRun: [fxredir] c:\windows\system32\fxredir.exe
mRun: [MPTBox] c:\program files\canon\multipass4\MPTBox.exe
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HostManager] c:\program files\common files\aol\1283354042\ee\AOLSoftware.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: allstate.com
Trusted Zone: allstate.com\agencygateway
Trusted Zone: allstate.com\agencygateway1
Trusted Zone: allstate.com\agencygateway2
Trusted Zone: allstate.com\allianceweb
Trusted Zone: allstate.com\mymail
Trusted Zone: allstatehelp.com
Trusted Zone: custhelp.com
Trusted Zone: gotoassist.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: sumtotalsystems.com
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} - hxxp://wowjoy.net/js/ShortCut.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1A99AD04-C72C-484A-9EEE-1B29B1243263} - hxxp://down.ad-killer.net/adkiller/activex/ADKiller.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/cab9_1/dmcc2.cab
DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} - hxxp://wwl514.daum.net/hanmail-ax/hanmail.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {BDF9A7C7-F4DC-455D-B5C2-045D74788295} - hxxps://objects.aol.com/filebackup/AOLRegistrationWizard.cab
DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} - hxxp://allstate.sumtotalsystems.com/sumtotal/core/common/ScheduleServices/ScheduleServices.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://allstate.webex.com/client/T26L10NSP49EP12/webex/ieatgpc.cab
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-1-7 36000]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-1-7 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-1-7 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-1-7 74640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-6 652872]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-5-7 34916]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-6 20464]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
.
=============== Created Last 30 ================
.
2012-01-08 01:00:34 -------- d-----w- c:\documents and settings\becki price\application data\Avira
2012-01-08 00:54:28 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-08 00:54:28 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-08 00:54:27 -------- d-----w- c:\program files\Avira
2012-01-08 00:54:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-01-07 21:44:27 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-01-07 21:44:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-01-07 21:43:49 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-01-07 21:43:00 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-01-07 21:41:07 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-07 21:41:06 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-01-07 21:36:29 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-07 21:32:34 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-01-07 21:32:23 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-01-07 18:32:02 8192 -c----w- c:\windows\system32\dllcache\asferror.dll
2012-01-07 18:32:01 695808 -c----w- c:\windows\system32\dllcache\drmv2clt.dll
2012-01-07 18:32:01 299520 -c----w- c:\windows\system32\dllcache\drmclien.dll
2012-01-07 18:32:01 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2012-01-07 18:29:54 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2012-01-07 18:29:53 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-01-07 18:27:26 19569 ----a-w- c:\windows\006245_.tmp
2012-01-06 22:04:01 -------- d-----w- c:\documents and settings\becki price\application data\Malwarebytes
2012-01-06 21:01:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-06 21:00:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 21:00:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-03 05:52:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-03 05:52:20 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-01-03 05:52:14 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-03 05:52:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-12-30 22:31:32 -------- d-----w- c:\program files\8FA95
2011-12-30 22:30:48 -------- d-----w- c:\documents and settings\becki price\application data\4C68F
2011-12-30 22:30:41 -------- d-----w- c:\program files\LP
2011-12-30 22:30:21 -------- d-----w- c:\documents and settings\becki price\application data\wpHs7E8TqYwIrOA
2011-12-30 22:30:17 -------- d-----w- c:\documents and settings\becki price\application data\xwwjCCelIBtPyc
2011-12-30 22:30:14 -------- d-----w- c:\documents and settings\becki price\application data\cllIIBtzP
2011-12-30 22:29:58 -------- d-----w- c:\documents and settings\becki price\application data\fvDD2F4m5sJ7E8g
2011-12-30 22:29:24 -------- d-----w- c:\windows\system32\LogFiles
2011-12-29 19:33:57 -------- d-----w- c:\program files\GFI Software
2011-12-26 17:37:54 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2011-12-26 17:37:49 -------- d-----w- c:\program files\MozyHome
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 23:47:39 256 ----a-w- c:\windows\system32\pool.bin
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 21:17:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 11:38:50.51 ===============
A friend approached me for help with a computer that had been basically bricked by xp security 2012. They are not "savvy" and feared not being able to follow directions. In order to help them regain some semblance of normal function, and gain access to the internet, I found Grinler's tutorial at Bleeping, and downloaded the tools to my own computer. I needed to run them in safe mode first, then reran them in Normal mode. This included RKILL and Kaspersky's TDSS Killer, as well as MBAM. The computer seems to be back to healthy, so started proceding with some updates (SP2 ->SP3, Java was out of Date, Adobe not successfully updating, some automatic updates keep repeating eg - KB2416447, and some refuse to complete - eg Office 2003). Still, knowing that malware is not always this "simple", thought I should get a health check from you, my trusted professionals in the field.
SO... here are the logs from my friends computer...
=====
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-06 11:20:04
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: 7tegdzu6.exe; Driver: C:\DOCUME~1\BECKIP~1\LOCALS~1\Temp\kfliipod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
=====
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Becki Price at 11:36:46 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1189 [GMT -5:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\CTHELPER.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: hpBHO Class: {abd3b5e1-b268-407b-a150-2641dab8d898} - c:\program files\common files\homepage protection\HomepageProtection.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: MapQuest Toolbar Loader: {e34f0e11-ab79-487c-9773-36c594dff5aa} - c:\program files\mapquest toolbar\mqtb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: MapQuest Toolbar: {57abf0dd-577c-4ec6-855c-8dc29768c2b0} - c:\program files\mapquest toolbar\mqtb.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [monitr32] c:\program files\canon\multipass4\monitr32.exe
mRun: [fxredir] c:\windows\system32\fxredir.exe
mRun: [MPTBox] c:\program files\canon\multipass4\MPTBox.exe
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HostManager] c:\program files\common files\aol\1283354042\ee\AOLSoftware.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: allstate.com
Trusted Zone: allstate.com\agencygateway
Trusted Zone: allstate.com\agencygateway1
Trusted Zone: allstate.com\agencygateway2
Trusted Zone: allstate.com\allianceweb
Trusted Zone: allstate.com\mymail
Trusted Zone: allstatehelp.com
Trusted Zone: custhelp.com
Trusted Zone: gotoassist.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: sumtotalsystems.com
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} - hxxp://wowjoy.net/js/ShortCut.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1A99AD04-C72C-484A-9EEE-1B29B1243263} - hxxp://down.ad-killer.net/adkiller/activex/ADKiller.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/cab9_1/dmcc2.cab
DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} - hxxp://wwl514.daum.net/hanmail-ax/hanmail.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {BDF9A7C7-F4DC-455D-B5C2-045D74788295} - hxxps://objects.aol.com/filebackup/AOLRegistrationWizard.cab
DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} - hxxp://allstate.sumtotalsystems.com/sumtotal/core/common/ScheduleServices/ScheduleServices.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://allstate.webex.com/client/T26L10NSP49EP12/webex/ieatgpc.cab
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-1-7 36000]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-1-7 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-1-7 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-1-7 74640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-6 652872]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-5-7 34916]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-6 20464]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
.
=============== Created Last 30 ================
.
2012-01-08 01:00:34 -------- d-----w- c:\documents and settings\becki price\application data\Avira
2012-01-08 00:54:28 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-08 00:54:28 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-08 00:54:27 -------- d-----w- c:\program files\Avira
2012-01-08 00:54:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-01-07 21:44:27 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-01-07 21:44:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-01-07 21:43:49 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-01-07 21:43:00 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-01-07 21:41:07 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-07 21:41:06 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-01-07 21:36:29 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-07 21:32:34 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-01-07 21:32:23 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-01-07 18:32:02 8192 -c----w- c:\windows\system32\dllcache\asferror.dll
2012-01-07 18:32:01 695808 -c----w- c:\windows\system32\dllcache\drmv2clt.dll
2012-01-07 18:32:01 299520 -c----w- c:\windows\system32\dllcache\drmclien.dll
2012-01-07 18:32:01 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2012-01-07 18:29:54 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2012-01-07 18:29:53 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-01-07 18:27:26 19569 ----a-w- c:\windows\006245_.tmp
2012-01-06 22:04:01 -------- d-----w- c:\documents and settings\becki price\application data\Malwarebytes
2012-01-06 21:01:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-06 21:00:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 21:00:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-03 05:52:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-03 05:52:20 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-01-03 05:52:14 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-03 05:52:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-12-30 22:31:32 -------- d-----w- c:\program files\8FA95
2011-12-30 22:30:48 -------- d-----w- c:\documents and settings\becki price\application data\4C68F
2011-12-30 22:30:41 -------- d-----w- c:\program files\LP
2011-12-30 22:30:21 -------- d-----w- c:\documents and settings\becki price\application data\wpHs7E8TqYwIrOA
2011-12-30 22:30:17 -------- d-----w- c:\documents and settings\becki price\application data\xwwjCCelIBtPyc
2011-12-30 22:30:14 -------- d-----w- c:\documents and settings\becki price\application data\cllIIBtzP
2011-12-30 22:29:58 -------- d-----w- c:\documents and settings\becki price\application data\fvDD2F4m5sJ7E8g
2011-12-30 22:29:24 -------- d-----w- c:\windows\system32\LogFiles
2011-12-29 19:33:57 -------- d-----w- c:\program files\GFI Software
2011-12-26 17:37:54 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2011-12-26 17:37:49 -------- d-----w- c:\program files\MozyHome
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 23:47:39 256 ----a-w- c:\windows\system32\pool.bin
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 21:17:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 11:38:50.51 ===============