Solved Unable to receive Windows Updates or Visit AV sites

[jtoddhoward]

Good afternoon,

Im having some serious issues when I try to visit any sites related to microsoft, AV, spyware cleaners, etc...

I was able to d/l Malwarebytes by going to cnet and so far ive been able to keep it updated. Ive tried to visit several AV sites only to receive "Error Results" when trying to access the sites directly. I can d/l AVG via cnet but as soon as I start to install it tells me the file is corrupt.

Attached to the post are logs for Malwarebytes, Combofix & Hijackthis.

Please let me know if you have any suggestions.

Thanks.

 

[jtoddhoward]

Update.

By opening cmd prompt and typing "net stop dnscache" it allows me to receive updates and visit AV sites. Im going to go ahead and update windows.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Our instructions clearly say, NOT to run Combofix on your own and NOT making any changes to your computer until it's declared clean.

 

[jtoddhoward]

My apologizes Broni.

Should I restart dnscache before doing the scans?

 

[Broni]

If you need to keep it disabled to download some tools, that's fine.
I was mostly referring to Windows updates, which you're about to try.
Leave them alone, for now.

 

[jtoddhoward]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4652

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/19/2010 7:41:00 PM
mbam-log-2010-09-19 (19-41-00).txt

Scan type: Quick scan
Objects scanned: 161458
Time elapsed: 11 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[jtoddhoward]

For some reason, I cant paste the contents of the other scans so ive attached them.

 

[Broni]

You have some Norton leftovers.
Please, run Norton Removal Tool: http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN


Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[jtoddhoward]

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fd

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7B84000 \WINDOWS\system32\KDCOM.DLL
0xF7A94000 \WINDOWS\system32\BOOTVID.dll
0xF7555000 ACPI.sys
0xF7B86000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7544000 pci.sys
0xF7684000 isapnp.sys
0xF7694000 MountMgr.sys
0xF7525000 ftdisk.sys
0xF7B88000 dmload.sys
0xF74FF000 dmio.sys
0xF7904000 PartMgr.sys
0xF76A4000 VolSnap.sys
0xF7448000 iastor.sys
0xF76B4000 disk.sys
0xF76C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7428000 fltmgr.sys
0xF7416000 sr.sys
0xF7400000 DRVMCDB.SYS
0xF76D4000 PxHelp20.sys
0xF73E9000 KSecDD.sys
0xF735C000 Ntfs.sys
0xF732F000 NDIS.sys
0xF7315000 Mup.sys
0xF7884000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF687F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF686B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF799C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6847000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79A4000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF681F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF67EB000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF67C8000 \SystemRoot\system32\DRIVERS\ks.sys
0xF66C9000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6622000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF79AC000 \SystemRoot\System32\Drivers\Modem.SYS
0xF79B4000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7894000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7BE4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF78A4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF78B4000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6556000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF7D76000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF78C4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B4C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF653F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF78D4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF78E4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79BC000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF652E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF78F4000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79C4000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79CC000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF64FE000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76F4000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79D4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF79DC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7BE6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF64A0000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B68000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7B6C000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF55EB000 \SystemRoot\system32\drivers\btaudio.sys
0xF55C7000 \SystemRoot\system32\drivers\portcls.sys
0xF77C4000 \SystemRoot\system32\drivers\drmk.sys
0xF77D4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7764000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7C32000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA896C000 \SystemRoot\system32\drivers\sthda.sys
0xF5673000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF5985000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7C48000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA8709000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C4A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF5663000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF565B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF5653000 \SystemRoot\System32\drivers\vga.sys
0xF7B8A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B8C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF564B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA8B32000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF5979000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8518000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA84BF000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA837C000 \SystemRoot\System32\Drivers\avgtdix.sys
0xA832D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA8CE3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8131000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8105000 \SystemRoot\System32\drivers\afd.sys
0xA8C83000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA80DA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA806A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA802C000 \SystemRoot\System32\DRIVERS\klif.sys
0xA8612000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7B94000 \??\C:\WINDOWS\System32\Drivers\Elmou.sys
0xF7B96000 \??\C:\WINDOWS\System32\Drivers\Elmon.sys
0xF7B98000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
0xAA1C0000 \??\C:\WINDOWS\System32\Drivers\Elhid.sys
0xA8B0A000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA7D0B000 \SystemRoot\System32\Drivers\avgldx86.sys
0xA8159000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA84A1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA7ECE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA8495000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8491000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA69E5000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9BC2E000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8563000 \SystemRoot\System32\drivers\Dxapi.sys
0xF798C000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C9F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09B000 \SystemRoot\System32\atikvmag.dll
0xBF0DD000 \SystemRoot\System32\ati3duag.dll
0xBF37E000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x9DC19000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7CA6000 \SystemRoot\System32\DLA\DLADResN.SYS
0x99C18000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF7B74000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xA5FFB000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0x9C052000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x99C00000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x99BEA000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xA3389000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x99B95000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x99A37000 \SystemRoot\system32\DRIVERS\css-dvp.sys
0x99A13000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x99982000 \SystemRoot\System32\Drivers\HTTP.sys
0x9996D000 \SystemRoot\system32\drivers\wdmaud.sys
0xF58A3000 \SystemRoot\system32\drivers\sysaudio.sys
0x998D0000 \SystemRoot\system32\drivers\ctusfsyn.sys
0x998A0000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0x99852000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0x996C0000 \SystemRoot\system32\DRIVERS\srv.sys
0x997E2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA8825000 \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
0x987F5000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0x982DE000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 68):
0 System Idle Process
4 System
484 C:\WINDOWS\system32\smss.exe
564 csrss.exe
592 C:\WINDOWS\system32\winlogon.exe
636 C:\WINDOWS\system32\services.exe
648 C:\WINDOWS\system32\lsass.exe
856 C:\WINDOWS\system32\ati2evxx.exe
872 C:\WINDOWS\system32\svchost.exe
956 svchost.exe
996 C:\WINDOWS\system32\svchost.exe
1024 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1044 C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
1084 C:\Program Files\AVG\AVG9\avgchsvx.exe
1112 svchost.exe
1124 C:\Program Files\AVG\AVG9\avgrsx.exe
1204 svchost.exe
1292 C:\WINDOWS\system32\spoolsv.exe
1360 svchost.exe
1416 C:\WINDOWS\system32\netdde.exe
1464 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1500 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1524 C:\Program Files\Bonjour\mDNSResponder.exe
1532 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1544 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
1556 C:\WINDOWS\system32\CTSVCCDA.EXE
1636 C:\Program Files\Common Files\Command Software\dvpapi.exe
1652 C:\WINDOWS\ehome\ehrecvr.exe
1720 C:\WINDOWS\ehome\ehSched.exe
1856 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1984 C:\WINDOWS\explorer.exe
288 C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
476 C:\Program Files\Common Files\Motive\McciCMService.exe
900 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1392 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
1792 C:\WINDOWS\system32\snmp.exe
1896 svchost.exe
1976 C:\WINDOWS\system32\svchost.exe
2140 mcrdsvc.exe
2728 C:\Program Files\AVG\AVG9\avgnsx.exe
3124 C:\WINDOWS\system32\dllhost.exe
3312 C:\WINDOWS\system32\wscntfy.exe
3324 alg.exe
3600 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
3612 C:\WINDOWS\stsystra.exe
3632 C:\Program Files\ATT-SST\McciTrayApp.exe
3640 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
3656 C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
3692 C:\Program Files\BellSouthWCC\McciTrayApp.exe
3712 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
3736 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
3744 C:\WINDOWS\system32\dlcccoms.exe
3820 C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe
3852 C:\PROGRA~1\AVG\AVG9\avgtray.exe
4024 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
4048 C:\Program Files\Digital Line Detect\DLG.exe
4064 C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
468 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
1684 C:\Program Files\SetPoint\SetPoint.exe
1760 C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
2276 C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
2368 C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
2252 C:\Program Files\Hp\Digital Imaging\bin\hpqgalry.exe
2840 C:\Program Files\Internet Explorer\iexplore.exe
2356 C:\Program Files\Internet Explorer\iexplore.exe
516 C:\WINDOWS\system32\svchost.exe
4616 C:\Program Files\Internet Explorer\iexplore.exe
4228 C:\Documents and Settings\Lisa Bevins\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200KS-75PFB0, Rev: 21.00M21

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: BF118E4CFC2D7C7489A85AC7AD11D2A979F74824


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

 

[Broni]

Your MBR seems to be infected...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

• Place a blank CD in your CD drive.
• Double click on NTBR_CD.exe file and a folder of the same name will appear.
• Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
• Follow the prompts to burn the CD.

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

• Insert the newly created CD into your infected PC and reboot your computer.
• Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
• Read the warning and then continue as prompted.
• You first need to select your keyboard layout - press Enter for English.
• Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
• On the following screen enter 5 to select Install Standard MBR code.
• Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
• When asked to confirm please do so.
• Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
• Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

 

[jtoddhoward]

BRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fd

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7B84000 \WINDOWS\system32\KDCOM.DLL
0xF7A94000 \WINDOWS\system32\BOOTVID.dll
0xF7555000 ACPI.sys
0xF7B86000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7544000 pci.sys
0xF7684000 isapnp.sys
0xF7694000 MountMgr.sys
0xF7525000 ftdisk.sys
0xF7B88000 dmload.sys
0xF74FF000 dmio.sys
0xF7904000 PartMgr.sys
0xF76A4000 VolSnap.sys
0xF7448000 iastor.sys
0xF76B4000 disk.sys
0xF76C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7428000 fltmgr.sys
0xF7416000 sr.sys
0xF7400000 DRVMCDB.SYS
0xF76D4000 PxHelp20.sys
0xF73E9000 KSecDD.sys
0xF735C000 Ntfs.sys
0xF732F000 NDIS.sys
0xF7315000 Mup.sys
0xF65F3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF61C4000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF61B0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6177000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF7A0C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6153000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A14000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF612B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF60F7000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF60D4000 \SystemRoot\system32\DRIVERS\ks.sys
0xF5FD5000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF5F2E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7A1C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A24000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF65E3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7BEC000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF65D3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF65C3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5E62000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF7CA4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF65B3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6D70000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5E4B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF65A3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6593000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A2C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5E3A000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6583000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7A34000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A3C000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5E0A000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF6573000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A44000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A4C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7BF6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5DAC000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B60000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7B64000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF4EE0000 \SystemRoot\system32\drivers\btaudio.sys
0xF4EBC000 \SystemRoot\system32\drivers\portcls.sys
0xF77D4000 \SystemRoot\system32\drivers\drmk.sys
0xF77E4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7724000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7C40000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA958F000 \SystemRoot\system32\drivers\sthda.sys
0xF7934000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF51D8000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B94000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CC5000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B96000 \SystemRoot\System32\Drivers\Beep.SYS
0xF794C000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF7954000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7994000 \SystemRoot\System32\drivers\vga.sys
0xF7B98000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B9A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF4F76000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF4F6E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF51CC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA85FD000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA85A4000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA856A000 \SystemRoot\System32\Drivers\avgtdix.sys
0xA8544000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA952B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8377000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8355000 \SystemRoot\System32\drivers\afd.sys
0xA94FB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA828A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA821A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA81DC000 \SystemRoot\System32\DRIVERS\klif.sys
0xF7754000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7BBA000 \??\C:\WINDOWS\System32\Drivers\Elmou.sys
0xF7BBC000 \??\C:\WINDOWS\System32\Drivers\Elmon.sys
0xF7BBE000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
0xF72DC000 \??\C:\WINDOWS\System32\Drivers\Elhid.sys
0xF4F3E000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA7C19000 \SystemRoot\System32\Drivers\avgldx86.sys
0xA88DE000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA8654000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA82F5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA864C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8648000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7894000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9BFB3000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF72D4000 \SystemRoot\System32\drivers\Dxapi.sys
0x9C092000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D35000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09B000 \SystemRoot\System32\atikvmag.dll
0xBF0DD000 \SystemRoot\System32\ati3duag.dll
0xBF37E000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA6D73000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7D2D000 \SystemRoot\System32\DLA\DLADResN.SYS
0x99F9D000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xA863C000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xA7F8E000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xA7B9F000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x99F85000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x99F6F000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF7B78000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x99E6A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF78A4000 \SystemRoot\system32\drivers\sysaudio.sys
0x99E1C000 \SystemRoot\system32\drivers\kmixer.sys
0x99DF5000 \SystemRoot\system32\drivers\ctusfsyn.sys
0x99DC5000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0x99D9F000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0x99C01000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x99ACB000 \SystemRoot\system32\DRIVERS\css-dvp.sys
0x99AA7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x998FE000 \SystemRoot\System32\Drivers\HTTP.sys
0x997BC000 \SystemRoot\system32\DRIVERS\srv.sys
0x99520000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x9CE74000 \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 65):
0 System Idle Process
4 System
688 C:\WINDOWS\system32\smss.exe
768 csrss.exe
796 C:\WINDOWS\system32\winlogon.exe
840 C:\WINDOWS\system32\services.exe
852 C:\WINDOWS\system32\lsass.exe
1068 C:\WINDOWS\system32\ati2evxx.exe
1084 C:\WINDOWS\system32\svchost.exe
1168 svchost.exe
1264 C:\WINDOWS\system32\svchost.exe
1288 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1312 C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
1340 C:\Program Files\AVG\AVG9\avgchsvx.exe
1348 C:\Program Files\AVG\AVG9\avgrsx.exe
1584 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1604 svchost.exe
1684 svchost.exe
1928 C:\WINDOWS\system32\spoolsv.exe
452 C:\WINDOWS\explorer.exe
560 svchost.exe
672 C:\WINDOWS\system32\netdde.exe
876 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
172 C:\Program Files\AVG\AVG9\avgwdsvc.exe
988 C:\Program Files\Bonjour\mDNSResponder.exe
1128 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
1204 C:\WINDOWS\system32\CTSVCCDA.EXE
1248 C:\Program Files\Common Files\Command Software\dvpapi.exe
1436 C:\WINDOWS\ehome\ehrecvr.exe
1620 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
1656 C:\WINDOWS\stsystra.exe
1896 C:\WINDOWS\ehome\ehSched.exe
1976 C:\Program Files\ATT-SST\McciTrayApp.exe
2004 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
2088 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2104 C:\Program Files\BellSouthWCC\McciTrayApp.exe
2140 C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
2184 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
2216 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
2252 C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe
2336 C:\Program Files\Common Files\Motive\McciCMService.exe
2356 C:\Program Files\AVG\AVG9\avgtray.exe
2472 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
2504 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
2552 C:\Program Files\Digital Line Detect\DLG.exe
2600 C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
2712 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
2724 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2804 C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
2828 C:\Program Files\SetPoint\SetPoint.exe
2884 C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
3040 C:\WINDOWS\system32\snmp.exe
3048 C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
3132 C:\Program Files\AVG\AVG9\avgnsx.exe
3140 svchost.exe
3236 C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
3416 C:\WINDOWS\system32\svchost.exe
3800 mcrdsvc.exe
2648 C:\Program Files\Hp\Digital Imaging\bin\hpqgalry.exe
3536 C:\WINDOWS\system32\dllhost.exe
2408 C:\WINDOWS\system32\dlcccoms.exe
1548 C:\WINDOWS\system32\wscntfy.exe
2364 alg.exe
4228 C:\WINDOWS\system32\svchost.exe
4632 C:\Documents and Settings\Lisa Bevins\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200KS-75PFB0, Rev: 21.00M21

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[Broni]

Looks good

Navigate to C:\Qoobox and post ComboFix2.txt

Also, re-run Combofix and post new log.

 

[jtoddhoward]

ComboFix 10-09-17.04 - Lisa Bevins 09/19/2010 14:03:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.500 [GMT -4:00]
Running from: c:\documents and settings\Lisa Bevins\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-17 19:00 . 2010-09-17 19:06 -------- d-----w- C:\Fix
2010-09-17 18:22 . 2010-09-17 18:22 -------- d-----w- c:\program files\Trend Micro
2010-09-17 18:13 . 2010-09-17 19:11 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-09-17 18:11 . 2010-09-17 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-09-17 18:11 . 2010-09-17 18:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-17 17:46 . 2010-09-17 17:46 -------- d-----w- c:\documents and settings\Lisa Bevins\Local Settings\Application Data\Mozilla
2010-09-15 22:27 . 2010-09-15 21:42 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-09-15 21:37 . 2010-09-17 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-15 15:11 . 2010-09-15 15:11 -------- d-----w- c:\windows\system32\vmm32
2010-09-15 01:31 . 2010-09-15 01:31 -------- d-----w- c:\windows\wt
2010-09-14 22:46 . 2010-09-14 22:46 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\Malwarebytes
2010-09-14 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 22:46 . 2010-09-14 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 22:46 . 2010-09-14 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-14 21:43 . 2010-09-14 21:44 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Staging\wtf\start.exe
2010-09-14 21:41 . 2010-09-14 21:41 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.2.30.1.dll
2010-09-14 21:04 . 2010-09-14 21:04 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-14 21:03 . 2010-09-14 21:03 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2010-09-14 21:03 . 2010-09-14 21:03 -------- d-----w- c:\windows\system32\Logfiles
2010-09-14 21:02 . 2010-09-14 21:02 -------- d-----w- c:\program files\Hewlett-Packard
2010-09-14 21:01 . 2010-09-14 21:01 -------- d-----w- c:\program files\Common Files\xing shared
2010-09-11 16:00 . 2010-09-11 16:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-10 23:34 . 2010-09-15 02:45 -------- d-----w- c:\program files\Optimizer Tool
2010-09-10 03:17 . 2010-09-10 03:17 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\ParetoLogic
2010-09-10 03:17 . 2010-09-10 03:17 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\DriverCure
2010-08-31 14:53 . 2010-08-31 14:53 -------- d-----w- c:\program files\Common Files\HP
2010-08-31 14:52 . 2010-08-31 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-08-31 14:52 . 2010-08-31 14:52 45056 ----a-r- c:\documents and settings\Lisa Bevins\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-08-31 03:11 . 2010-08-31 15:04 104200 ----a-w- c:\windows\hpoins04.dat
2010-08-31 03:11 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-08-31 03:11 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-08-31 03:11 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-08-31 03:10 . 2004-06-22 15:05 180315 ----a-w- c:\windows\system32\hpzsnt10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 18:08 . 2010-01-13 01:35 38436640 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-09-19 18:02 . 2009-09-14 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-09-19 17:55 . 2009-04-11 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-09-19 17:55 . 2009-04-11 19:22 484 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-09-19 16:25 . 2010-01-13 01:35 524576 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-19 16:25 . 2010-01-13 01:35 514172 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-19 16:25 . 2010-01-13 01:35 27284 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 19:17 . 2006-10-24 07:15 -------- d-----w- c:\program files\Dell
2010-09-17 18:42 . 2010-09-17 18:42 200 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-09-17 18:32 . 2010-09-17 18:31 1016 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-15 02:41 . 2010-04-11 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-15 02:41 . 2010-04-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-14 21:05 . 2009-03-13 01:36 -------- d-----w- c:\program files\Common Files\Motive
2010-09-14 21:03 . 2010-01-12 23:02 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-09-14 21:03 . 2010-01-12 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-09-14 21:03 . 2009-06-04 12:59 -------- d-----w- c:\program files\ATT-SST
2010-09-14 21:02 . 2006-10-24 07:19 -------- d-----w- c:\program files\Common Files\Real
2010-09-14 21:01 . 2010-06-23 21:19 -------- d-----w- c:\program files\real
2010-09-14 21:01 . 2006-10-24 07:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-13 21:47 . 2009-04-11 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-09-13 21:45 . 2009-09-15 16:59 -------- d-----w- c:\program files\Dl_cats
2010-09-12 01:40 . 2009-03-20 13:36 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\Motive
2010-09-10 21:36 . 2010-09-19 02:58 293610 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-08-31 14:52 . 2009-03-13 17:23 -------- d-----w- c:\program files\Hp
2010-08-27 22:46 . 2010-03-13 15:49 -------- d-----w- c:\documents and settings\Lisa Bevins\Application Data\Temp
2010-07-30 19:21 . 2010-07-30 19:21 251 ----a-w- c:\program files\wt3d.ini
2010-06-23 21:20 . 2010-06-23 21:20 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-23 21:20 . 2010-06-23 21:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-23 21:20 . 2010-06-23 21:20 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-23 21:20 . 2010-06-23 21:20 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-23 21:20 . 2010-06-23 21:20 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-23 21:20 . 2010-06-23 21:20 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-23 21:19 . 2006-07-11 23:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-06 01:53 . 2009-03-26 15:30 88 -csh--r- c:\windows\system32\870834A103.sys
2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj(2).dll
2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj(3).dll
2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj(4).dll
2009-03-21 14:06 . 2005-08-16 09:18 168989 --sha-r- c:\windows\system32\fndfj.dll
2010-04-06 01:53 . 2009-03-26 15:30 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-17_19.03.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-19 17:55 . 2010-09-19 17:55 16384 c:\windows\temp\Perflib_Perfdata_9ac.dat
+ 2005-08-16 09:18 . 2010-09-17 19:08 94600 c:\windows\system32\perfc009.dat
+ 2005-08-16 09:18 . 2010-09-17 19:08 511626 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 28160]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]
"BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
"ATT_WCC"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Lisa Bevins\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-21 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-12 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-24 24576]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-10-24 532480]
YouTube Uploader for CASIO.lnk - c:\program files\CASIO\YouTube Uploader for CASIO\YStart.exe [2008-12-9 79808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-04-27 15:30 53248 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9925:TCP"= 9925:TCPfmhpzib
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 1:49 PM 284016]
S2 aaxks;Shell Installer;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 jvrxz;Boot Manager;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 phsyhxf;Boot Support;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 ueyjfphy;Support Installer;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 uffshlud;Security Universal;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 xzdhtcb;Monitor Network;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 yopajzse;Shell Boot;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S3 curhdyq;curhdyq;\??\c:\windows\system32\0D.tmp --> c:\windows\system32\0D.tmp [?]
S3 tbqzw;tbqzw;\??\c:\windows\system32\0A.tmp --> c:\windows\system32\0A.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jvrxz
xzdhtcb
phsyhxf
ueyjfphy
uffshlud
aaxks
yopajzse
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-586396946-4029955019-800561833-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-09-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-586396946-4029955019-800561833-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: motive.com\patttbc.att
Trusted Zone: musicmatch.com\online
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\curhdyq]
"ImagePath"="\??\c:\windows\system32\0D.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tbqzw]
"ImagePath"="\??\c:\windows\system32\0A.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aaxks]
"ServiceDll"="c:\windows\system32\fndfj.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvrxz]
"ServiceDll"="c:\windows\system32\fndfj.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\phsyhxf]
"ServiceDll"="c:\windows\system32\fndfj.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ueyjfphy]
"ServiceDll"="c:\windows\system32\fndfj.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uffshlud]
"ServiceDll"="c:\windows\system32\fndfj.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xzdhtcb]
"ServiceDll"="c:\windows\system32\fndfj.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yopajzse]
"ServiceDll"="c:\windows\system32\fndfj.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2384)
c:\program files\Common Files\Motive\McciContextHook_DSR.dll
c:\program files\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-09-19 14:09:59
ComboFix-quarantined-files.txt 2010-09-19 18:09
ComboFix2.txt 2010-09-17 19:06

Pre-Run: 269,564,416,000 bytes free
Post-Run: 269,550,792,704 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 3944965808D5D7F20B3353D5D737BB3C

 

[jtoddhoward]

new combofix log

The previous post was Combofix2.txt and this one is the new log.

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\870834A103.sys
c:\windows\system32\drivers\srwacimx.sys
c:\windows\system32\0D.tmp
c:\windows\system32\0A.tmp


Folder::
c:\documents and settings\All Users\Application Data\STOPzilla!


Driver::
srwacimx
aaxks
jvrxz
phsyhxf
ueyjfphy
uffshlud
xzdhtcb
yopajzse
curhdyq
tbqzw


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\curhdyq]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tbqzw]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aaxks]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvrxz]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\phsyhxf]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ueyjfphy]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uffshlud]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xzdhtcb]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yopajzse]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[jtoddhoward]

combofix.txt

file is attached

 

[Broni]

It looks much better

How is computer doing?

Update and re-run MBAM. Post new log.

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[jtoddhoward]

Computing seems to be returning to normal. Will post the OTL logs in a few.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4660

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/20/2010 6:21:30 PM
mbam-log-2010-09-20 (18-21-30).txt

Scan type: Quick scan
Objects scanned: 164431
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[jtoddhoward]

Otl logs attached

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://support.att.net/sdccommon/download/tgctlcm.cab (Reg Error: Key error.)
  O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (Reg Error: Key error.)
  [2006/10/24 03:19:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

======================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[jtoddhoward]

OTL log and Security Check log attached. Im 1 1/2 hours into the kaspersky scan. Will post when finished.

 

[Broni]

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
On this page:

make sure, you have both boxes UN-checked AND (important!) click on Decline button

 

[jtoddhoward]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 20, 2010 19:08:13
Records in database: 4230659
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 98754
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:02:08


File name / Threat / Threats count
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP139\A0132792.DLL Infected: Packed.Win32.Krap.hc 1

Selected area has been scanned.

 

[Broni]

The above will be cleaned through our last step...


Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.

 

[jtoddhoward]

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Lisa Bevins
->Temp folder emptied: 108668272 bytes
->Temporary Internet Files folder emptied: 6966620 bytes
->Java cache emptied: 143767 bytes
->Flash cache emptied: 456 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Roger Bevins
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 111.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Lisa Bevins
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Roger Bevins

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.14.0 log created on 09202010_221258

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Lisa Bevins\Local Settings\Temp\hsperfdata_Lisa Bevins\4580 not found!
File\Folder C:\Documents and Settings\Lisa Bevins\Local Settings\Temp\hsperfdata_Lisa Bevins\5156 not found!
File\Folder C:\Documents and Settings\Lisa Bevins\Local Settings\Temp\Perflib_Perfdata_b48.dat not found!
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\S5L66FE2\ads[5].htm moved successfully.
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\S5L66FE2\ads[7].htm moved successfully.
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\S5L66FE2\topic153552-2[1].html moved successfully.
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\91OLE3Z0\pngbehavior[1].htc moved successfully.
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\2F4Y83DJ\info[1].htm moved successfully.
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\Content.IE5\2F4Y83DJ\sh23[1].html moved successfully.
C:\Documents and Settings\Lisa Bevins\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...