[Sydney34]

Hi Ron. I was away for a couple of days. The computer actually seems to be working fine now--it even seems a bit faster than before the infection. (I've been able to get on the internet since the first ComboFix.) I downloaded AVAST and it found some infected files and quarantined them. I did a disk check again and I'll post the VEW log, but it still has that nasty phrase about a bad block in the hard disk. So if it's "dying," would that be due to wear and tear, and NOT "Security Tool?" Can it be fixed? The computer is 8 years old. Thank you SO much again for all your help. I will make a donation to geekstogo. --Sydney


Vino's Event Viewer v01c run on Windows XP in English
Report run at 20/08/2010 3:44:20 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 20/08/2010 2:38:11 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AvgMfx86

Log: 'System' Date/Time: 20/08/2010 2:38:09 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The ntbpf service failed to start due to the following error: The system cannot open the file.

Log: 'System' Date/Time: 19/08/2010 10:18:43 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AvgMfx86

Log: 'System' Date/Time: 19/08/2010 10:18:43 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The ntbpf service failed to start due to the following error: The system cannot open the file.

Log: 'System' Date/Time: 19/08/2010 8:32:21 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:32:18 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:32:14 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:32:11 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:32:07 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:32:03 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:32:00 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:31:56 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:31:53 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:31:49 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:30:26 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:30:23 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:30:19 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:30:15 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:30:12 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

Log: 'System' Date/Time: 19/08/2010 8:30:08 PM
Type: error Category: 0
Event: 7 Source: Disk
The device, \Device\Harddisk0\D, has a bad block.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 20/08/2010 2:38:09 PM
Type: warning Category: 0
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...ntredirect.asp.

Log: 'System' Date/Time: 19/08/2010 10:18:40 PM
Type: warning Category: 0
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...ntredirect.asp.

Log: 'System' Date/Time: 19/08/2010 5:08:35 PM
Type: warning Category: 0
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...ntredirect.asp.

Log: 'System' Date/Time: 19/08/2010 4:50:05 PM
Type: warning Category: 0
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...ntredirect.asp.

Log: 'System' Date/Time: 19/08/2010 4:34:42 PM
Type: warning Category: 0
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...ntredirect.asp.

Log: 'System' Date/Time: 16/08/2010 8:27:12 PM
Type: warning Category: 0
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...ntredirect.asp.

[Advertisements]

I expect your hard drive is just getting old. Probably time to get a replacement and clone the old one before it fails.

Uninstall "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper -it's not working correctly.

Then let's use combofix to remove some remnants.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
c:\program files\Network Associates\ThreatScan Agent for ePO\driver\ntbpf.sys
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

Driver::
ntbpf
AvgMfx86
gupdate1cadf28b746024



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

You are also getting this error:
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified.

W3SVC is part of IIS. Are you running a webserver on this PC? If not:

Open 'Add/Remove Windows Components' found in 'Add/Remove Programs' in the 'Control Panel'.

Uncheck the box for 'Internet Information Services (IIS)' OK.

Other than that I think we are done.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 21). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://oldmcdonald.w...orun-eater-v25/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

Ron

[RKinner]

I expect your hard drive is just getting old. Probably time to get a replacement and clone the old one before it fails.

Uninstall "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper -it's not working correctly.

Then let's use combofix to remove some remnants.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
c:\program files\Network Associates\ThreatScan Agent for ePO\driver\ntbpf.sys
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

Driver::
ntbpf
AvgMfx86
gupdate1cadf28b746024



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

You are also getting this error:
Event: 101 Source: W3SVC
The server was unable to add the virtual root '/data' for the directory 'C:\Documents and Settings\Carl Conner\My Documents\My PhotoShows\HTML\A_WALK_IN_THE_GLENGARRIFF_WOOD\data' due to the following error: The system cannot find the path specified.

W3SVC is part of IIS. Are you running a webserver on this PC? If not:

Open 'Add/Remove Windows Components' found in 'Add/Remove Programs' in the 'Control Panel'.

Uncheck the box for 'Internet Information Services (IIS)' OK.

Other than that I think we are done.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 21). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://oldmcdonald.w...orun-eater-v25/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

Ron

[Sydney34]

Ron, you rock. I got rid of Google Update Helper and IIS. Then I ran ComboFix, log below. Unless I hear otherwise from you, I'll assume I'm as ok as I can be and will continue taking the steps you outlined, starting with System Restore. Ciao. --Sydney.

PS--When I turned on the computer today, a blue screen came up: "One of your disks needs to be checked for consistency. You may cancel the disk check but it is strongly recommended that you continue." So it did the check...

ComboFix 10-08-21.06 - Carl Conner 08/22/2010 22:01:56.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.272 [GMT 1:00]
Running from: c:\documents and settings\Carl Conner\Desktop\george.exe
Command switches used :: c:\documents and settings\Carl Conner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\Network Associates\ThreatScan Agent for ePO\driver\ntbpf.sys"
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Network Associates\ThreatScan Agent for ePO\driver\ntbpf.sys
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVGMFX86
-------\Legacy_GUPDATE1CADF28B746024
-------\Legacy_NTBPF
-------\Service_AvgMfx86
-------\Service_gupdate1cadf28b746024
-------\Service_ntbpf


((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-20 22:47 . 2010-08-20 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 18:12 . 2010-08-19 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-11 22:27 . 2010-08-11 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-08-08 21:12 . 2010-08-08 21:12 -------- d-----w- c:\documents and settings\Carl Conner\Application Data\Malwarebytes
2010-08-08 20:50 . 2010-08-08 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-08 20:50 . 2010-08-08 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 21:15 . 2010-04-18 18:53 -------- d-----w- c:\documents and settings\Carl Conner\Application Data\skypePM
2010-08-22 21:14 . 2010-04-18 18:50 -------- d-----w- c:\documents and settings\Carl Conner\Application Data\Skype
2010-08-22 21:11 . 2010-04-18 18:34 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-22 21:11 . 2010-04-18 18:32 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-19 18:12 . 2010-08-19 18:12 -------- d-----w- c:\program files\Alwil Software
2010-08-16 17:20 . 2010-04-26 16:33 -------- d-----w- c:\program files\Microsoft
2010-08-16 17:20 . 2002-09-24 21:17 -------- d-----w- c:\program files\Ontrack
2010-08-15 11:27 . 2010-08-15 13:34 1472000 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2010-08-15 11:27 . 2010-08-15 13:34 24576 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2010-08-13 19:42 . 2010-08-13 20:27 1468928 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-08-13 19:42 . 2010-08-13 20:27 22016 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-08-11 21:17 . 2010-08-08 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 21:04 . 2010-08-11 21:04 -------- d-----w- c:\program files\ERUNT
2010-08-08 21:16 . 2010-08-10 21:58 23040 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-08-08 21:16 . 2010-08-10 21:58 1468416 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-08-07 22:53 . 2010-08-07 23:02 1479168 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-08-07 22:53 . 2010-08-07 23:02 2931712 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-07-07 13:49 . 2010-07-08 00:28 375296 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-07-06 23:23 . 2010-07-08 00:28 1439744 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2010-06-30 19:23 . 2010-07-01 19:16 1431040 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2010-06-30 19:23 . 2010-07-01 19:16 291840 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-06-30 12:31 . 2002-08-29 00:41 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-08-19 18:12 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-08-19 18:12 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-08-19 18:13 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-08-19 18:13 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-08-19 18:13 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-08-19 18:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-08-19 18:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-08-19 18:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-08-19 18:12 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-25 11:57 . 2010-06-25 12:23 1428480 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2010-06-25 11:56 . 2010-06-25 12:23 29696 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2010-06-24 23:58 . 2010-06-25 11:05 1432576 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2010-06-24 23:57 . 2010-06-25 11:05 2060288 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2010-06-24 12:22 . 2006-06-23 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2002-08-28 23:14 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-23 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2001-08-23 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2002-12-30 17:04 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-26 18:54 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-30 13:35 . 2010-05-30 14:11 1033216 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2010-05-30 13:30 . 2010-05-30 14:11 1384960 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2003-06-09 17:05 . 2003-06-09 17:04 560 ----a-w- c:\program files\Global.sw
2003-07-21 14:21 . 2003-07-21 14:13 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-04-30 5472016]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2003-10-07 45056]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Carl Conner\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2008-11-7 517384]
PowerReg Scheduler.exe [2003-8-21 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DriveSelect.lnk - c:\program files\321Studios\Xpress\DriveSelect.exe [2003-5-5 217088]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2002-9-25 106560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
2001-12-06 12:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2002-04-15 08:12 57344 ----a-w- c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Print House 2000]
2000-04-11 10:22 188416 ----a-r- c:\windows\Corel\StpLnch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrazyTalk Serve]
2002-11-02 07:14 1007616 ----a-w- c:\windows\system32\CrazyTalk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 08:21 253952 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-01-13 09:19 757760 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-01-13 13:05 69632 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 09:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HomeMeeting\\JoinNet\\joinnetu.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/19/2010 7:13 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/19/2010 7:13 PM 17744]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [9/24/2002 7:22 PM 144512]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [9/24/2002 7:22 PM 536768]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [4/17/2010 2:43 PM 100736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &Google Search - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
IE: Backward &Links - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
IE: Customize Menu &4 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms &] - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
IE: Save Forms &[ - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\Web\SearchExt.htm
IE: Si&milar Pages - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
IE: Translate Page - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 22:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D614F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85f3f28
\Driver\ACPI -> ACPI.sys @ 0xf8566cb8
\Driver\atapi -> 0x82d614f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\windows\System32\snmp.exe
c:\windows\system32\WgaTray.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-08-22 22:19:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 21:19
ComboFix2.txt 2010-08-16 17:30
ComboFix3.txt 2010-08-14 22:59

Pre-Run: 60,057,411,584 bytes free
Post-Run: 60,184,064,000 bytes free

- - End Of File - - 18C2F4AFEE3F56B6874B256A3C9F1505

[RKinner]

Looks good. Don't wait too long to get a new drive.

Ron

[Sydney34]

Ok, I won't. Thanks again. It's been real, but I hope not to be seeing you too soon. Cheers. --Sydney.