Ron, you rock. I got rid of Google Update Helper and IIS. Then I ran ComboFix, log below. Unless I hear otherwise from you, I'll assume I'm as ok as I can be and will continue taking the steps you outlined, starting with System Restore. Ciao. --Sydney.
PS--When I turned on the computer today, a blue screen came up: "One of your disks needs to be checked for consistency. You may cancel the disk check but it is strongly recommended that you continue." So it did the check...
ComboFix 10-08-21.06 - Carl Conner 08/22/2010 22:01:56.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.272 [GMT 1:00]
Running from: c:\documents and settings\Carl Conner\Desktop\george.exe
Command switches used :: c:\documents and settings\Carl Conner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\program files\Network Associates\ThreatScan Agent for ePO\driver\ntbpf.sys"
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Network Associates\ThreatScan Agent for ePO\driver\ntbpf.sys
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AVGMFX86
-------\Legacy_GUPDATE1CADF28B746024
-------\Legacy_NTBPF
-------\Service_AvgMfx86
-------\Service_gupdate1cadf28b746024
-------\Service_ntbpf
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.
2010-08-20 22:47 . 2010-08-20 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 18:12 . 2010-08-19 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-11 22:27 . 2010-08-11 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-08-08 21:12 . 2010-08-08 21:12 -------- d-----w- c:\documents and settings\Carl Conner\Application Data\Malwarebytes
2010-08-08 20:50 . 2010-08-08 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-08 20:50 . 2010-08-08 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 21:15 . 2010-04-18 18:53 -------- d-----w- c:\documents and settings\Carl Conner\Application Data\skypePM
2010-08-22 21:14 . 2010-04-18 18:50 -------- d-----w- c:\documents and settings\Carl Conner\Application Data\Skype
2010-08-22 21:11 . 2010-04-18 18:34 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-22 21:11 . 2010-04-18 18:32 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-19 18:12 . 2010-08-19 18:12 -------- d-----w- c:\program files\Alwil Software
2010-08-16 17:20 . 2010-04-26 16:33 -------- d-----w- c:\program files\Microsoft
2010-08-16 17:20 . 2002-09-24 21:17 -------- d-----w- c:\program files\Ontrack
2010-08-15 11:27 . 2010-08-15 13:34 1472000 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2010-08-15 11:27 . 2010-08-15 13:34 24576 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2010-08-13 19:42 . 2010-08-13 20:27 1468928 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-08-13 19:42 . 2010-08-13 20:27 22016 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-08-11 21:17 . 2010-08-08 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 21:04 . 2010-08-11 21:04 -------- d-----w- c:\program files\ERUNT
2010-08-08 21:16 . 2010-08-10 21:58 23040 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-08-08 21:16 . 2010-08-10 21:58 1468416 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-08-07 22:53 . 2010-08-07 23:02 1479168 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-08-07 22:53 . 2010-08-07 23:02 2931712 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-07-07 13:49 . 2010-07-08 00:28 375296 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-07-06 23:23 . 2010-07-08 00:28 1439744 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2010-06-30 19:23 . 2010-07-01 19:16 1431040 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2010-06-30 19:23 . 2010-07-01 19:16 291840 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-06-30 12:31 . 2002-08-29 00:41 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-08-19 18:12 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-08-19 18:12 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-08-19 18:13 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-08-19 18:13 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-08-19 18:13 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-08-19 18:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-08-19 18:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-08-19 18:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-08-19 18:12 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-25 11:57 . 2010-06-25 12:23 1428480 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2010-06-25 11:56 . 2010-06-25 12:23 29696 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2010-06-24 23:58 . 2010-06-25 11:05 1432576 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2010-06-24 23:57 . 2010-06-25 11:05 2060288 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2010-06-24 12:22 . 2006-06-23 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2002-08-28 23:14 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-23 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2001-08-23 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2002-12-30 17:04 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-26 18:54 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-30 13:35 . 2010-05-30 14:11 1033216 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2010-05-30 13:30 . 2010-05-30 14:11 1384960 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2003-06-09 17:05 . 2003-06-09 17:04 560 ----a-w- c:\program files\Global.sw
2003-07-21 14:21 . 2003-07-21 14:13 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-04-30 5472016]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2003-10-07 45056]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
c:\documents and settings\Carl Conner\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2008-11-7 517384]
PowerReg Scheduler.exe [2003-8-21 225280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DriveSelect.lnk - c:\program files\321Studios\Xpress\DriveSelect.exe [2003-5-5 217088]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2002-9-25 106560]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
2001-12-06 12:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2002-04-15 08:12 57344 ----a-w- c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Print House 2000]
2000-04-11 10:22 188416 ----a-r- c:\windows\Corel\StpLnch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrazyTalk Serve]
2002-11-02 07:14 1007616 ----a-w- c:\windows\system32\CrazyTalk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 08:21 253952 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-01-13 09:19 757760 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-01-13 13:05 69632 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 09:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HomeMeeting\\JoinNet\\joinnetu.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/19/2010 7:13 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/19/2010 7:13 PM 17744]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [9/24/2002 7:22 PM 144512]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [9/24/2002 7:22 PM 536768]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [4/17/2010 2:43 PM 100736]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-08-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &Google Search - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
IE: Backward &Links - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
IE: Customize Menu &4 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms &] - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
IE: Save Forms &[ - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\Web\SearchExt.htm
IE: Si&milar Pages - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
IE: Translate Page - c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-08-22 22:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D614F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85f3f28
\Driver\ACPI -> ACPI.sys @ 0xf8566cb8
\Driver\atapi -> 0x82d614f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\windows\System32\snmp.exe
c:\windows\system32\WgaTray.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-08-22 22:19:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 21:19
ComboFix2.txt 2010-08-16 17:30
ComboFix3.txt 2010-08-14 22:59
Pre-Run: 60,057,411,584 bytes free
Post-Run: 60,184,064,000 bytes free
- - End Of File - - 18C2F4AFEE3F56B6874B256A3C9F1505