Inactive Virus removal help needed

Status
Not open for further replies.

kerry123

Posts: 12   +0
Late last week we had a virus on our computer. I forget the name, but it was one that ran a scan that recommended you buy the software to fix all the problems. After looking online for help, I removed it through Add/Remove programs (I know that didn't take care of it). I wasn't able to follow other directions that I found online by starting the computer in safe mode, as trying to start the computer in safe mode took me to a blue screen. I tried to download malwarebytes antivirus, but keep getting an "access is denied" message (still getting that today.)

I downloaded a program (I think Anvisoft) and ran a scan with that.

I would like to follow the 5 step removal process, but cannot even get Malwarebytes to download. And I think another virus has crept on, today my internet keeps shutting down and about 20 system error messages popped on my screen, and another scan program "SMART Check" tried to run.

Also, links through google are re-directing to ad sites.

There is also a hard disk failure message and device initialization failure message on my screen now. Why do people do this? I appreciate any help - thank you.
 
Welcome to TechSpot! It sounds like you have a lot going on! One of them is rogue program that will give you messages telling you that you have critical system failures, that you have problems that need to be fixed and you need their program to fix them!!! You need to ignore those messages> don't click on them because each time you do, it may launch the malware again.

The most serious mention you make is the possibility of possible hard drive failure. This may only be one of the fake messages created by the rogue malware. But the is a chance that the hard drive me really be going. It is important that you do NOT act at this time on any of these messages. I do not know enough now to suggest either.

Please do not panic and start trying to run programs from someone else's instructions or from the internet. When I learn what you can and can't do on the system, I will be better able to guide you.


But I cannot help you until I get more specific information.

1.. Do you have an internet connection?
2. Can you boot into normal Mode?
3. Can you Boot into Safe Mode with Networking?
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
4. At what point do you get "access denied?" Does this happen when you try to open a program? Or does it happen when you try to run a program such as a scan?
5. What operating system are you using?
6. Are you the Administrator? Are you logging on using the Administrative account?
7. Do you have a flash drive? Do you have another computer that is clean that you can download programs to?

This is information gathering only right now. I can't direct you until I know what is available for you to do.
===============================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
1. Yes, I have an internet connection
2. I can boot into normal mode
3. I cannot boot into safe mode with networking; this is where a blue screen will pop up with the following codes: STOP 0x00000078 (0xXF789E524, 0xC0000034, 0x00000000, 0x00000000)
4. I get "access is denied" when trying to download the malwarebytes antivirus; while it's trying to install, it will stop and give that error message each time. That's the only time I've seen that message that I recall.
5. Windows XP operating system
6. It's our personal computer, and there aren't separate users or accounts (is that what you need to know, am I understanding the question correctly?)
7. Yes I have a flash drive and a laptop that is clean I can use and download programs too

Thank you so much! Another note - we had a McAfee subscription that has expired; it keeps popping up that it's expired, and now a message just popped up that McAfee removed a trojan from our computer; would it do that with an expired subscription?
 
Letting you know that somehow some unauthorized users are posting on this thread. Only Broni and I can help in this forum. Please ignore and do not follow anyone's instructions but mine. Also, do not click on the site links they are leaving. They are bad sites. I'm removing as fast as I see them, but am warning you in case you see one of the posts before I've deleted it.
=================================================
If you can get into Normal Mode, then you can work from than. It's usually other way around, but we'll check that out later.
================================================
STOP 0x00000078 can have several causes but the most frequent have to do with the boot function. So I am going to startup out a bit differently.
================================================
The first thing you need to do is get a current, finctioning, updating antivirus program on the system. So eitheer update the McAfee subscription or download and install one of the following> they are all free and fully functioning:
Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
Please reboot the computer after you have handled the AV.
=============================
Bootkit Remover:

Download Bootkit Remover.zip and save to your desktop.
  1. Extract the remover.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the remover.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
=====================================
Results should be one of the following:
  • OK (DOS/Win32 Boot code found)
    - MBR boot code is clean.
  • Unknown boot code
    - MBR boot code is modified. This practically corresponds to either
    an active bootkit infection, or a custom boot manager installed (such
    as GRUB).
  • Controlled by rootkit!
    - a bootkit with self-hiding capabilities is detected.
=========================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HERE and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===================================================
I'd like to see these 2 logs first, then I may have you do back to do the preliminary scans.
 
I did ignore those other posts, thanks for confirming to ignore them.

I was able to download microsoft security essentials and run a scan; but now I cannot connect to the internet to continue with the bootkit remover. I have rebooted a few times. Using a wireless router, the laptop works fine, I don't believe it's my connection.
 
Okay, right now I don't have any information about what's running on your system. So let's start at the beginning instead of the middle!

What happens when you try to connect to the internet? Message?Error? What?

If you cannot determine why and don't have access, you can download the following to a flash drive from a clean computer. Then connect to the problem computer and run the scans:

Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
 
When I try to connect, I get the error that Internet Explorer cannot display the webpage. Thanks for the continued help. Malwarebytes and GMER logs are here, I'll insert the DDS logs in the next post

Malwarebytes Log
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.04.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: FRED [administrator]
Protection: Enabled
5/8/2012 11:31:05 AM
mbam-log-2012-05-08 (11-31-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251123
Time elapsed: 16 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 1
C:\Documents and Settings\User\Start Menu\Programs\Windows Recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.
Files Detected: 2
C:\Documents and Settings\User\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
(end)

GMER Log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-08 12:09:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250310AS rev.3.ADA
Running: 1ste46ev.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pxtdypob.sys

---- System - GMER 1.0.15 ----
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE1484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE1498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
---- EOF - GMER 1.0.15 ----

I'm posting the DDS logs in the next post
 
Attach Log
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/8/2008 11:09:30 PM
System Uptime: 5/8/2012 11:23:32 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0RY007
Processor: Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz | Socket 775 | 1595/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 229 GiB total, 97.499 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4700 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4700 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP LaserJet 4000 Series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: Hewlett-Packard
Name: HP LaserJet 4000 Series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
==== System Restore Points ===================
.
RP1434: 2/9/2012 3:29:55 AM - System Checkpoint
RP1435: 2/10/2012 4:29:55 AM - System Checkpoint
RP1436: 2/11/2012 4:30:18 AM - System Checkpoint
RP1437: 2/12/2012 5:30:18 AM - System Checkpoint
RP1438: 2/13/2012 6:30:18 AM - System Checkpoint
RP1439: 2/14/2012 7:49:03 AM - System Checkpoint
RP1440: 2/15/2012 7:57:37 AM - System Checkpoint
RP1441: 2/16/2012 8:44:02 AM - System Checkpoint
RP1442: 2/17/2012 9:30:19 AM - System Checkpoint
RP1443: 2/18/2012 9:31:29 AM - System Checkpoint
RP1444: 2/19/2012 10:30:23 AM - System Checkpoint
RP1445: 2/20/2012 11:00:19 AM - System Checkpoint
RP1446: 2/20/2012 2:01:38 PM - Install LG UNITED Drivers
RP1447: 2/21/2012 2:22:49 PM - System Checkpoint
RP1448: 2/22/2012 2:45:00 PM - System Checkpoint
RP1449: 2/23/2012 3:24:31 PM - System Checkpoint
RP1450: 2/24/2012 4:21:58 PM - System Checkpoint
RP1451: 2/25/2012 5:43:01 PM - System Checkpoint
RP1452: 2/26/2012 6:50:20 PM - System Checkpoint
RP1453: 2/27/2012 7:47:06 PM - System Checkpoint
RP1454: 2/28/2012 10:18:27 PM - System Checkpoint
RP1455: 2/29/2012 10:21:54 PM - System Checkpoint
RP1456: 3/1/2012 11:21:57 PM - System Checkpoint
RP1457: 3/4/2012 3:48:15 PM - System Checkpoint
RP1458: 3/5/2012 4:15:24 PM - System Checkpoint
RP1459: 3/6/2012 5:50:33 PM - System Checkpoint
RP1460: 3/7/2012 7:13:55 PM - System Checkpoint
RP1461: 3/8/2012 9:40:04 PM - System Checkpoint
RP1462: 3/9/2012 10:14:20 PM - System Checkpoint
RP1463: 3/11/2012 12:21:57 AM - System Checkpoint
RP1464: 3/12/2012 1:14:42 AM - System Checkpoint
RP1465: 3/13/2012 2:14:44 AM - System Checkpoint
RP1466: 3/14/2012 3:14:45 AM - System Checkpoint
RP1467: 3/15/2012 4:14:44 AM - System Checkpoint
RP1468: 3/16/2012 5:29:39 AM - System Checkpoint
RP1469: 3/17/2012 6:15:49 AM - System Checkpoint
RP1470: 3/18/2012 7:14:44 AM - System Checkpoint
RP1471: 3/19/2012 7:29:16 AM - System Checkpoint
RP1472: 3/20/2012 9:23:15 AM - System Checkpoint
RP1473: 3/21/2012 9:40:04 AM - System Checkpoint
RP1474: 3/22/2012 10:16:08 AM - System Checkpoint
RP1475: 3/23/2012 1:05:20 PM - System Checkpoint
RP1476: 3/24/2012 1:15:02 PM - System Checkpoint
RP1477: 3/25/2012 2:15:03 PM - System Checkpoint
RP1478: 3/26/2012 2:38:02 PM - System Checkpoint
RP1479: 3/27/2012 3:29:56 PM - System Checkpoint
RP1480: 3/28/2012 5:18:24 PM - System Checkpoint
RP1481: 3/29/2012 6:03:00 PM - System Checkpoint
RP1482: 3/30/2012 10:25:59 PM - System Checkpoint
RP1483: 3/31/2012 11:05:25 PM - System Checkpoint
RP1484: 4/1/2012 11:15:24 PM - System Checkpoint
RP1485: 4/3/2012 12:04:49 AM - System Checkpoint
RP1486: 4/4/2012 12:16:49 AM - System Checkpoint
RP1487: 4/5/2012 12:30:19 AM - System Checkpoint
RP1488: 4/6/2012 1:04:50 AM - System Checkpoint
RP1489: 4/6/2012 12:51:46 PM - Software Distribution Service 3.0
RP1490: 4/8/2012 10:13:39 PM - System Checkpoint
RP1491: 4/9/2012 10:53:46 PM - System Checkpoint
RP1492: 4/10/2012 11:33:02 PM - System Checkpoint
RP1493: 4/11/2012 11:49:57 PM - System Checkpoint
RP1494: 4/13/2012 12:31:34 AM - System Checkpoint
RP1495: 4/14/2012 1:31:34 AM - System Checkpoint
RP1496: 4/15/2012 2:31:34 AM - System Checkpoint
RP1497: 4/16/2012 2:32:49 AM - System Checkpoint
RP1498: 4/17/2012 3:31:43 AM - System Checkpoint
RP1499: 4/18/2012 4:31:43 AM - System Checkpoint
RP1500: 4/19/2012 5:32:48 AM - System Checkpoint
RP1501: 4/20/2012 7:46:39 AM - System Checkpoint
RP1502: 4/21/2012 8:28:12 AM - System Checkpoint
RP1503: 4/22/2012 9:28:26 AM - System Checkpoint
RP1504: 4/23/2012 9:41:35 AM - System Checkpoint
RP1505: 4/24/2012 9:47:43 AM - System Checkpoint
RP1506: 4/25/2012 10:17:23 AM - System Checkpoint
RP1507: 4/26/2012 10:53:15 AM - System Checkpoint
RP1508: 4/27/2012 2:10:52 PM - System Checkpoint
RP1509: 4/28/2012 10:03:15 PM - System Checkpoint
RP1510: 4/29/2012 10:27:41 PM - System Checkpoint
RP1511: 4/30/2012 11:04:31 PM - System Checkpoint
RP1512: 5/2/2012 12:04:31 AM - System Checkpoint
RP1513: 5/3/2012 1:04:31 AM - System Checkpoint
RP1514: 5/4/2012 1:06:33 AM - System Checkpoint
RP1515: 5/5/2012 2:07:37 AM - System Checkpoint
RP1516: 5/6/2012 3:06:32 AM - System Checkpoint
RP1517: 5/7/2012 3:35:53 AM - System Checkpoint
RP1518: 5/7/2012 3:09:47 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.6
Amazon MP3 Downloader 1.0.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Magic-I Visual Effects 2
Arthur's Birthday
Azada : Ancient Magic
Azada® : In Libro Collector's Edition
Big Fish Games: Game Manager
Bonjour
Browser Address Error Redirector
BVHE-Beauty and the Beast Magical Ballroom
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon i550
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CCleaner
CCScore
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Crayola Magic 3D Coloring Book Sampler
Dell DataSafe Online
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
Digital Line Detect
Documentation & Support Launcher
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
EZface ActiveX 210
Favorite Places
fflink
GameProtector 1.0
Games, Music, & Photos Launcher
Google Chrome
Google Earth
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist 8.0.0.480
GoToMeeting 4.8.0.723
Green Eggs and Ham
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Button Manager
HP Driver Diagnostics
HP Photo Creations
HP Photosmart C4700 All-in-One Driver 14.0 Rel. 6
HP Update
ImageMixer 3 SE Ver.6 Transfer Utility
ImageMixer 3 SE Ver.6 Video Tools
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.3.31.0
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 29
Jimmy Neutron vs. Jimmy Negatron DEMO
JumpStart Kindergarten 2001
JumpStart Toddlers 2001
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kid Pix Deluxe 3
Kid Pix Deluxe 4
Kit A Tree House of My Own
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare software
L&H TTS3000 Español
LEGO Digital Designer
Lernout & Hauspie TruVoice American English TTS Engine
LG United Mobile Drivers
Little Bear Kindergarten Thinking Adventures
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows XP Video Decoder Checkup Utility
MobileMe Control Panel
Modem Diagnostic Tool
Monopoly Junior
Move Media Player
MovieEdit Task
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
netbrdg
NetWaiting
Network
NickToons Racing
Notebook Interactive Viewer
OfotoXMI
Photo Notifier and Animation Creator
PhotoStitch
Plants vs. Zombies
PopCap Browser Plugin
PowerDVD
PS_AIO_06_C4700_SW_Min
QuickTime
RAW Image Task 2.1
Reader Rabbit's Math Ages 6-9
RealPlayer
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Safari
Scan
Scholastic's I SPY Fantasy
Scholastic's I SPY Mystery
Scholastic's I SPY School Days
Scholastic's I SPY Spooky Mansion
Scholastic's I SPY Treasure Hunt
SearchAssist
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SHASTA
Sibelius Scorch (ActiveX Only)
skin0001
SKINXSDK
Skype™ 5.3
Sonic Activation Module
Spell Checker For OE 2.1
SpongeBob SquarePants - Battle for Bikini Bottom DEMO
Spotify
staticcr
The Fairly OddParents Demo
Thomas & Friends - The Great Festival Adventure
Tonka Search and Rescue
Toolbox
tooltips
Unity Web Player (All users)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Support Tools
Windows XP Service Pack 3
WIRELESS
.
==== Event Viewer Messages From Past Week ========
.
5/7/2012 9:41:57 PM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkNb because another computer on the network has the same name. The server could not start.
5/7/2012 9:41:57 PM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkIpx because another computer on the network has the same name. The server could not start.
5/7/2012 3:37:48 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
5/7/2012 3:37:48 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
5/7/2012 3:16:01 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
5/7/2012 2:59:07 PM, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================
 
DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 12:13:02 on 2012-05-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1315 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kowalski\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {10000000-1000-1000-1000-100000000000} - hxxp://cdn.betteradvertising.com/ghostery/addons/ie/WebInstall/ghostery.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.usps.gov/+CSCOL+/relayp.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {705EC6D4-B138-4079-A307-EF13E40C2416} - hxxps://webvpn.usps.gov/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://webvpn.usps.gov/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 172.16.113.1
TCP: Interfaces\{3EAC37C0-2186-42CD-A9E0-6735F355A4BC} : DhcpNameServer = 172.16.113.1
TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086} : NameServer = 24.94.163.100
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 464176]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-27 89792]
R1 MpKsl6dd162fa;MpKsl6dd162fa;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\MpKsl6dd162fa.sys [2012-5-8 29904]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-8 654408]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-27 150856]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-I visual effects 2\uCamMonitor.exe [2011-3-26 104960]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2011-3-26 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-8 22344]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-27 180816]
S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-27 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-27 160608]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-27 57600]
S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-27 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-27 83856]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-27 83856]
.
=============== Created Last 30 ================
.
2012-05-08 17:02:30 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\MpKsl6dd162fa.sys
2012-05-08 16:29:58 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2012-05-08 16:29:34 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-08 16:29:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-08 16:29:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-08 16:24:27 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\offreg.dll
2012-05-07 20:07:21 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5534aa4e-a456-4aa1-9d4b-17d3615bc0f9}\mpengine.dll
2012-05-07 20:07:20 237072 ---h--w- c:\windows\system32\MpSigStub.exe
2012-05-07 20:02:34 -------- d--h--w- c:\program files\Microsoft Security Client
2012-05-07 19:23:16 -------- d--h--w- C:\0791d0e706da230e5370ce063b270fa8
2012-04-30 18:28:21 -------- d--h--w- c:\documents and settings\user\application data\Anvisoft
2012-04-30 18:27:32 -------- d--h--w- c:\program files\Anvisoft
2012-04-30 15:03:55 -------- d--h--w- c:\documents and settings\all users\application data\F4D55F3E00274A0700002205D151FC84
.
==================== Find3M ====================
.
2012-05-08 02:34:19 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-03-21 01:44:12 171064 ---ha-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 12:13:57.26 ===============
 
Looks like you have a rogue program, called Windows Recovery. This malware is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer and you need their program to fix it.
  • It will display numerous error messages when you attempt to launch programs or delete files.
  • It will scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. so-called defragment tool.
  • Folder, icons, programs may appear to be missing their content.
  • It may terminate a program you launch stating that "the program or hard drive is corrupted".
  • The messages that you will see when you attempt run a program are:
    [o]Hard Drive Failure
    [o]System or Critical Error
    [o]Closing these messages will then bring 'notice' of Windows Recovery Diagnostics and/or Fix Disk
  • When running it will also display fake alerts from your Windows taskbar of various "Critical Errors" and other fake warnings.
  • . The malware may prevent downloads directly to the infected computer. In that case, programs can be loaded onto a flash drive, then transferred to the problem system to run.
--------------------------

1. If your task manager is disabled,copy and run this command> Press Windows+R key> type cmd> OK
Code:
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
Press Enter

2. If you're desktop is blank and unable to right click on it ,run this command> Press Windows+R key> type cmd> OK
Code:
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop[/b]
Press Enter
-------------------------------------
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HERE and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed
    [o] Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    [o] Note: No query will be made if the Recovery Console is already on the system.
  • .Before you run the Combofix scan, please disable any security software you have running.
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
--------------------------------------------------------------

(Note: If programs, icons, files, etc. appear to be missing, you can run #3 first, then continue with RKill)
[/LIST]
  1. Kill Malware process: Run RKill> Download from iExplore.exe download linkand save to the desktop/
  • [o] Double click the iExplore.exe icon to run
  • [o] If you cannot find the icon, do as follows:
    [o] Win XP: Click on Start> Run> type in %userprofile%\desktop\iexplore.exe> OK
    [o] Win Vista/Win 7: Click on Start> type in Search Field %userprofile%\desktop\iexplore.exe> Enter
[o] Be patient> a black windows will automatically close when finished
  • [o] If you get a message that RKill is an infection, [leave the warning and run RKill again.
    Important: Do not reboot your computer after running RKill as the malware programs will start again.
2. If you were able to run Malwarebytes, update it and rescan using Perform Full Scan this time.
3. If you have missing icons, Programs, files, run the following:
[o]Download Unhide.exe and save to the desktop
[o] Double-click on Unhide.exe icon to run the program
[o] This program will remove the +H, or hidden, attribute from all the files on your hard drives.Note: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue

4. Please update the following:This malware frequently uses an exploit in and outdated program:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.

Adobe Reader> Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is v6u32> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
--------------------------------
I've been working on a formatting problem for the last hour. I don't know what the problem was but I think I fixed it all. If something doesn't make sense, just ask me bout it.
 
I have run the combofix and have the log pasted below. I still can't access the internet - should I continue with RKill step above anyway? I think the internet connection went out when I installed Microsoft Security Essentials - I uninstalled it before running the combofix, but it's still not accessing. I wonder if I've downloaded too many things and they are conflicting? (I.e.malwarebytes, MSE, etc) and maybe haven't properly cleaned them off?

ComboFix 12-05-10.02 - User 05/10/2012 11:51:30.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1652 [GMT -5:00]
Running from: I:\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.FRED\GoToAssistDownloadHelper.exe
c:\documents and settings\All Users\Application Data\66hVpjGwhuIMhY
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\g2mdlhlpx.exe
c:\documents and settings\User\GoToAssistDownloadHelper.exe
c:\documents and settings\User\My Documents\~WRL0005.tmp
c:\documents and settings\User\WINDOWS
c:\windows\$NtUninstallKB19498$
c:\windows\$NtUninstallKB19498$\3062547991
c:\windows\$NtUninstallKB19498$\96094608\@
c:\windows\$NtUninstallKB19498$\96094608\cfg.ini
c:\windows\$NtUninstallKB19498$\96094608\Desktop.ini
c:\windows\$NtUninstallKB19498$\96094608\L\odetmngk
c:\windows\$NtUninstallKB19498$\96094608\oemid
c:\windows\$NtUninstallKB19498$\96094608\U\00000001.@
c:\windows\$NtUninstallKB19498$\96094608\U\00000002.@
c:\windows\$NtUninstallKB19498$\96094608\U\00000004.@
c:\windows\$NtUninstallKB19498$\96094608\U\80000000.@
c:\windows\$NtUninstallKB19498$\96094608\U\80000004.@
c:\windows\$NtUninstallKB19498$\96094608\U\80000032.@
c:\windows\$NtUninstallKB19498$\96094608\version
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\system32\dllcache\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-04-10 to 2012-05-10 )))))))))))))))))))))))))))))))
.
.
2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-08 16:29 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-07 20:10 . 2012-05-07 20:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-05-07 20:07 . 2012-01-31 12:44 237072 ---h--w- c:\windows\system32\MpSigStub.exe
2012-05-07 19:23 . 2012-05-07 19:36 -------- d-----w- C:\0791d0e706da230e5370ce063b270fa8
2012-04-30 18:28 . 2012-04-30 18:28 -------- d--h--w- c:\documents and settings\User\Application Data\Anvisoft
2012-04-30 18:27 . 2012-05-07 19:32 -------- d--h--w- c:\program files\Anvisoft
2012-04-30 15:03 . 2012-04-30 16:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\F4D55F3E00274A0700002205D151FC84
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 02:34 . 2011-11-07 14:23 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-14 19:01 . 2011-07-08 23:35 24376 ---ha-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-14 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-09 22:54 10792 ---ha-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/27/2011 1:11 PM 89792]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2012 11:29 AM 654408]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/27/2011 12:45 PM 150856]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [3/26/2011 9:09 PM 104960]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [3/26/2011 9:09 PM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2012 11:29 AM 22344]
S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [1/27/2011 1:11 PM 160608]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/27/2011 1:10 PM 57600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 172.16.113.1
TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086}: NameServer = 24.94.163.100
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-10 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-05-10 12:17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-10 17:17
.
Pre-Run: 105,501,523,968 bytes free
Post-Run: 108,364,926,976 bytes free
.
- - End Of File - - 958F02092A2B38005ECA42A8E9D018AC
 
[size=4]One of the necessary drivers with found to be corrupt and was replaced by a clean file: netbt.sys.
There is another driver that frequently is corrupted by the same malware: afd.sys..So let's be proactive and see if we can get you back on the internet:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    afd.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
=============================================
Then go on to the following check for other processes that might not be running:

Please download Farbar Service Scanner
  • Check ALL boxes to include all files.
  • Press the Scan button
  • Log named FSS.txt will be created in the same directory as the tool
  • Please paste the log into your next reply
========================================
Please leave both logs in you next reply.

In the meantime, I am checking Combofix for any processes to be removed.[/size]
 
I'm thankful for detailed directions!


Edit: Removing excess spacing

[FONT=Courier New]SystemLook 30.07.11 by jpshortstuff[/FONT]
[FONT=Courier New]Log created at 10:39 on 11/05/2012 by User[/FONT]
[FONT=Courier New]Administrator - Elevation successful[/FONT]

[FONT=Courier New]========== filefind ==========[/FONT]

[FONT=Courier New]Searching for "afd.*"[/FONT]

[FONT=Courier New]C:\i386\afd.sys --a--c- 138496 bytes[14:48 10/02/2008][10:00 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys--a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a--c- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a--c- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a--c- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys --a--c- 138368 bytes [18:58 15/10/2008] [09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys --a--c- 138496 bytes [18:58 15/10/2008] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7[/FONT]
[FONT=Courier New]C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a--c- 138496 bytes [18:58 15/10/2008] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C[/FONT]
[FONT=Courier New]C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c- 138368 bytes [03:13 18/10/2008] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702[/FONT]
[FONT=Courier New]C:\WINDOWS\$NtUninstallKB2509553$\afd.sys-----c- 138496 bytes [13:15 14/04/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7[/FONT]
[FONT=Courier New]C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138112 bytes [03:25 18/10/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD[/FONT]
[FONT=Courier New]C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys -----c- 138496 bytes [08:00 10/07/2008] [10:00 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E[/FONT]
[FONT=Courier New]C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138496 bytes [03:26 18/10/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C[/FONT]
[FONT=Courier New]C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys -----c- 138368 bytes [08:03 16/10/2008] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9[/FONT]
[FONT=Courier New]C:\WINDOWS\ServicePackFiles\i386\afd.sys -----c- 138112 bytes [01:00 19/08/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD[/FONT]
[FONT=Courier New]C:\WINDOWS\system32\dllcache\afd.sys --a---- 138496 bytes [17:50 10/08/2004] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37[/FONT]
[FONT=Courier New]C:\WINDOWS\system32\drivers\afd.sys--a---- 138496 bytes [17:50 10/08/2004] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37[/FONT]

[FONT=Courier New]-= EOF =-[/FONT]

[FONT=Courier New]Farbar Service Scanner Version: 11-05-2012[/FONT]
[FONT=Courier New]Ran by User (administrator) on 11-05-2012 at 10:49:56[/FONT]
[FONT=Courier New]Running from "C:\Documents and Settings\User\Desktop"[/FONT]
[FONT=Courier New]Microsoft Windows XP Home Edition Service Pack 3 (X86)[/FONT]
[FONT=Courier New]Boot Mode: Normal[/FONT]
[FONT=Courier New]****************************************************************[/FONT]
[FONT=Courier New]Internet Services:[/FONT]
[FONT=Courier New]============[/FONT]
[FONT=Courier New]Connection Status:[/FONT]
[FONT=Courier New]==============[/FONT]
[FONT=Courier New]Localhost is accessible.[/FONT]
[FONT=Courier New]There is no connection to network.[/FONT]
[FONT=Courier New]Attempt to access Google IP returned error: Google IP is unreachable[/FONT]
[FONT=Courier New]Attempt to access Yahoo IP returned error: Yahoo IP is unreachable[/FONT]

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-10 12:50] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(9) NetBT(13) NwlnkIpx(11) NwlnkNb(12) PSched(7) Tcpip(3) Tcpip6(10)
0x0C0000000400000001000000020000000300000009000000050000000600000007000000080000000A0000000B0000000C000000
IpSec Tag value is correct.
**** End of log ****
 
Kerry, I edited out what appeared to be double, double spacing (4 lines) in the System Look scan. The log is okay otherwise and we got a headstart on the file I though would come up and replaced it. I'm hoping that after you run the following script in Combofix that the internet connection will be restored
-----------------------------------------------

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
Clearjavacache::
 
FCopy::
C:\WINDOWS\system32\dllcache\afd.sys | C:\WINDOWS\system32\Drivers\afd.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Anvisoft: Besides protecting PC from malware infection, it optimizes and speeds up PC in several aspects. I read about this program on several suted. The site is in India and it appears there is no database for updatw. I think you can do better that this. I'll give some recommendations.
=====================
I'd like for you to run the following:
[*] Download the file TDSSKiller.zip and save to the desktop.
(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
[*]Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
[*] Double click on TDSSKiller.exe. to run the scan
[*] When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
[*] Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
[*] After clicking Next, the utility applies selected actions and outputs the result.Please include in next reply
[*] A reboot is required after disinfection.[/list]
====================================
Reboot the Computer.

Please see what the internet status connecting is and let me know. Let me also know is there are any remaining problems.
Include the new log from OTM and ComboFix, TDSSKiller
 
Still no internet. The TDSSKiller didn't find anything, either. Below is the log from ComboFix.


ComboFix 12-05-10.02 - User 05/12/2012 23:36:53.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1308 [GMT -5:00]
Running from: I:\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\NCS2DMIX.dll
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\afd.sys --> c:\windows\system32\Drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2012-04-13 to 2012-05-13 )))))))))))))))))))))))))))))))
.
.
2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-05-10 17:01 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2012-05-10 17:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-08 16:29 . 2012-05-08 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-08 16:29 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-07 20:10 . 2012-05-07 20:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-05-07 20:07 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-07 19:23 . 2012-05-07 19:36 -------- d-----w- C:\0791d0e706da230e5370ce063b270fa8
2012-04-30 18:28 . 2012-04-30 18:28 -------- d-----w- c:\documents and settings\User\Application Data\Anvisoft
2012-04-30 18:27 . 2012-05-07 19:32 -------- d-----w- c:\program files\Anvisoft
2012-04-30 15:03 . 2012-04-30 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F3E00274A0700002205D151FC84
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 02:34 . 2011-11-07 14:23 525002 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-14 19:01 . 2011-07-08 23:35 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-10_17.05.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-13 04:44 . 2012-05-13 04:44 16384 c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-14 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-09 22:54 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/27/2011 1:11 PM 89792]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2012 11:29 AM 654408]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/27/2011 12:45 PM 150856]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe [3/26/2011 9:09 PM 104960]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [3/26/2011 9:09 PM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2012 11:29 AM 22344]
S1 ivtfrvpp;ivtfrvpp;\??\c:\windows\system32\drivers\ivtfrvpp.sys --> c:\windows\system32\drivers\ivtfrvpp.sys [?]
S1 kzpnvywc;kzpnvywc;\??\c:\windows\system32\drivers\kzpnvywc.sys --> c:\windows\system32\drivers\kzpnvywc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [1/27/2011 1:11 PM 160608]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/27/2011 1:10 PM 57600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/27/2010 8:46 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/27/2011 1:11 PM 83856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 01:46]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719611712-3216103391-934069528-1006UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: Interfaces\{5CEF0DF9-5522-4761-B288-90AB1C130086}: NameServer = 24.94.163.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-12 23:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2012-05-12 23:49:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-13 04:49
ComboFix2.txt 2012-05-10 17:17
.
Pre-Run: 108,358,889,472 bytes free
Post-Run: 108,540,825,600 bytes free
.
- - End Of File - - DF97EEEE04FE736B93700E63BAC3A8C3
 
Please remove both of these from the Trusted Zone. The security is lower in the zone which make the system vulnerable:
Trusted Zone: internet
Trusted Zone: mcafee.com

You have put the entire internet in the Trusted Zone. That mean all the settings you made for secure surfing are being overridden!

Control Panel> Internet Options> Security tab> Trusted Sites> Sites> Highlight and remove any domain in this zone. Nothing needs to be in this zone! Click on Apply> OK when finished.
=================================================

I think the internet connection went out when I installed Microsoft Security Essentials - I uninstalled it before running the combofix, but it's still not accessing. I wonder if I've downloaded too many things and they are conflicting? (I.e.malwarebytes, MSE, etc) and maybe haven't properly cleaned them off?

What have you downloaded other than what I asked you to?

The McAfee subscription expired, but it's still working- correct?
You put Anvisoft on the system. It is still on the system- Please uninstall it.
Did you actually do the full uninstall of MSE? Or did you just delete some files for it? Why do you thin MSE caused the lost of connection?

Please describe exactly what happens when you try to access the internet>> does a page load with a message in it? What is the message> Specifically
 
This is where I feel I'm going to sound like I don't know what I'm doing....I uninstalled McAfee since it was expired and we weren't going to renew it anyway, we were not happy with it. I put the AnviSoft on the computer before finding this forum - I was searching for solutions when the virus started so that was a recent addition; I just didn't know if that and the MSE combined might have conflicted. I was thinking my internet access had to do with MSE becuase it was after I downloaded it that I didn't have internet access anymore. I haven't downloaded anything else since the start of this thread, beyond instructions within the thread. I uninstalled MSE properly through Add or Remove Programs (at least I think I did it properly!)

For Anvisoft, it's not showing up under my add/remove program list - but I can see there are still files on my computer when I search for it. Should I just delete those files? I can't locate an uninstall option - it looks like what is left on my computer are the files that were quarantined.

When I try to connect, it tries to pull up my home page, then it gives the message "Internet Explorer cannot display the webpage" then goes on to say "What you can try: Diagnose Connection Problems" which we have tried but it refers us to our modem/router manual. We have tried shutting down the computers, router, modem then back up, but it didn't help the computer; the laptop sitll works fine for connection, and other devices work fine through the wireless router, it's just the personal computer that's still down.

Sorry for the long entry...I removed the entries from the trusted sites area.
 
Please download Farbar Service Scanner
  • Check ALL boxes to include all files.
  • Press the Scan button
  • Log named FSS.txt will be created in the same directory as the tool
  • Please paste the log into your next reply
 
Farbar Service Scanner Version: 11-05-2012
Ran by User (administrator) on 16-05-2012 at 20:01:28
Running from "C:\Documents and Settings\User\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable

Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-10 12:50] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(9) NetBT(13) NwlnkIpx(11) NwlnkNb(12) PSched(7) Tcpip(3) Tcpip6(10)
0x0C0000000400000001000000020000000300000009000000050000000600000007000000080000000A0000000B0000000C000000
IpSec Tag value is correct.
**** End of log ****
 
Everything is working! The computer was set for a static IP address, instead of automatically obtaining one. We can now connect to the internet and everything is cleaned up. I want to thank you for all your help - it's amazing that you take time to help people with this, we appreciate it so much!

Can you recommend virus protection, etc, that we should have in place? That's my last question - thank you!
 
Sorry- I haven't been well and am far behind.

Will you please repeat the Fabar Service scan so I can make sure all is well.
 
Status
Not open for further replies.
Back