Need help please with virus - ipodservice.exe is infected. Do you want to...

I cannot download Windows Recovery Console because I can't get to the Internet on my infected machine to download it and I cant find a place to just download this by itself. Can I still proceed with the rest of the tasks without it? thanks for your help!

In addition to the question above, is it normal for OTL to be at this line for over an hour?

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =

Stayed at ProxyOverride line for 3+ hours until I restarted. Made sure all McAfee updates etc. were disabled and tried again. No luck. Any advice?

Hi,

Yes, please continue with ComboFix and run this OTL fix instead:

Please run OTL.exe.

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :OTL
  PRC - [2010/12/07 19:07:18 | 000,262,656 | ---- | M] () -- C:\Documents and Settings\Tricia\Local Settings\Temp\artcqvwra\blfwcoeaffm.exe
  IE - HKCU\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not found
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:43902
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
  O4 - HKCU..\Run: [sohugeja] C:\Documents and Settings\Tricia\Local Settings\Temp\artcqvwra\blfwcoeaffm.exe ()
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  
  
  
  :commands
  [emptytemp]
  [resethosts]
  
  
  
• Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
  
• Click the red Run Fix button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTL.exe
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Here are the new OTL logs after running the code you provided. Combofix logs to follow.

All processes killed
Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <PRC - [2010/12/07 19:07:18 | 000,262,656 | ---- | M] () -- C:\Documents and Settings\Tricia\Local Settings\Temp\artcqvwra\blfwcoeaffm.exe> in the current context!
Error: Unable to interpret <IE - HKCU\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not found> in the current context!
Error: Unable to interpret ~[Filtered]~ in the current context!
Error: Unable to interpret <IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:43902> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.> in the current context!
Error: Unable to interpret <O4 - HKCU..\Run: [sohugeja] C:\Documents and Settings\Tricia\Local Settings\Temp\artcqvwra\blfwcoeaffm.exe ()> in the current context!
Error: Unable to interpret <O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present> in the current context!
Error: Unable to interpret <O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present> in the current context!
Error: Unable to interpret <O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 81920 bytes
->Temporary Internet Files folder emptied: 323847 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 8090 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Tricia
->Temp folder emptied: 494982453 bytes
->Temporary Internet Files folder emptied: 190481573 bytes
->Java cache emptied: 149310 bytes
->Flash cache emptied: 1972162 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 31718978 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 687.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 12132010_103141

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ComboFix 10-12-11.06 - Tricia 12/13/2010 11:14:01.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.186 [GMT -7:00]
Running from: c:\documents and settings\Tricia\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-12 20:58 . 2010-12-12 20:58 -------- d-----w- C:\_OTL
2010-12-10 21:04 . 2010-12-10 21:05 -------- d-----w- c:\program files\ATS2
2010-12-10 20:40 . 2004-03-09 06:00 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2010-12-10 20:40 . 2000-07-15 06:00 118784 ----a-w- c:\windows\system32\msstdfmt.dll
2010-12-10 20:03 . 2010-12-10 23:15 -------- d-----w- c:\program files\The Cleaner
2010-12-10 19:23 . 2010-12-10 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-10 17:35 . 2010-12-10 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-09 22:37 . 2010-12-09 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-09 21:10 . 2010-12-09 22:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-09 21:10 . 2010-12-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-09 20:45 . 2010-12-09 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-09 20:45 . 2010-12-09 20:45 -------- d-----w- c:\program files\Alwil Software
2010-12-09 19:32 . 2010-12-09 19:32 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 18:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"OurPictures"="c:\program files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 4796416]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-10-06 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"QUICKCARE"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-10 198800]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe.vir [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/10/2010 1:22 PM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2008 10:24 PM 93320]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [9/10/2010 1:21 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [9/10/2010 1:23 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [9/10/2010 1:22 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/10/2010 1:22 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/10/2010 1:22 PM 88480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:38 PM 135664]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/10/2010 1:22 PM 55456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/10/2010 1:22 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/10/2010 1:22 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-12-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 05:54]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 05:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
mStart Page = hxxp://qwest.live.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:43902
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 11:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-13 11:43:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-13 18:43
ComboFix2.txt 2010-12-10 01:43

Pre-Run: 10,566,742,016 bytes free
Post-Run: 10,516,742,144 bytes free

- - End Of File - - 400C8CE83993452A8D8826F5C48D019C

Hi,

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DDS::
   uInternet Settings,ProxyOverride =
   uInternet Settings,ProxyServer = http=127.0.0.1:43902
   
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Here is the latest set. Thanks again for sticking through this with me.

ComboFix 10-12-13.01 - Tricia 12/14/2010 9:56.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.76 [GMT -7:00]
Running from: c:\documents and settings\Tricia\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Tricia\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-12 20:58 . 2010-12-12 20:58 -------- d-----w- C:\_OTL
2010-12-10 21:04 . 2010-12-10 21:05 -------- d-----w- c:\program files\ATS2
2010-12-10 20:40 . 2004-03-09 06:00 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2010-12-10 20:40 . 2000-07-15 06:00 118784 ----a-w- c:\windows\system32\msstdfmt.dll
2010-12-10 20:03 . 2010-12-10 23:15 -------- d-----w- c:\program files\The Cleaner
2010-12-10 19:23 . 2010-12-10 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-10 17:35 . 2010-12-10 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-10 00:52 . 2010-12-10 00:52 -------- d-----w- c:\documents and settings\Tricia\Application Data\Malwarebytes
2010-12-09 22:37 . 2010-12-09 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-09 21:10 . 2010-12-09 22:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-09 21:10 . 2010-12-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-09 20:45 . 2010-12-09 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-09 20:45 . 2010-12-09 20:45 -------- d-----w- c:\program files\Alwil Software
2010-12-09 19:32 . 2010-12-09 19:32 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 18:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"OurPictures"="c:\program files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 4796416]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-10-06 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"QUICKCARE"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-10 198800]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]

c:\documents and settings\Tricia\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-6-7 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe.vir [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/10/2010 1:22 PM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2008 10:24 PM 93320]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [9/10/2010 1:21 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [9/10/2010 1:23 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [9/10/2010 1:22 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/10/2010 1:22 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/10/2010 1:22 PM 88480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:38 PM 135664]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/10/2010 1:22 PM 55456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/10/2010 1:22 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/10/2010 1:22 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-12-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 05:54]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 05:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
mStart Page = hxxp://qwest.live.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-14 10:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-12-14 10:13:03
ComboFix-quarantined-files.txt 2010-12-14 17:12
ComboFix2.txt 2010-12-13 18:44
ComboFix3.txt 2010-12-10 01:43

Pre-Run: 10,505,789,440 bytes free
Post-Run: 10,479,820,800 bytes free

- - End Of File - - 4867091E93B57BFFAB5D431E4F6712E8

Just wondering what you thought of the latest logs from yesterday morning. Is there anything else I need to do? Thank you!!!!

Hi,

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

====================

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

================

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
  
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.
  

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5328

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/16/2010 12:30:39 PM
mbam-log-2010-12-16 (12-30-39).txt

Scan type: Quick scan
Objects scanned: 151050
Time elapsed: 14 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=b2000a7d3c57a04dbdd08229925c6ec3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-16 09:23:31
# local_time=2010-12-16 02:23:31 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777177 100 75 1044462 21676351 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=82311
# found=0
# cleaned=0
# scan_time=5185

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF89F2000 \WINDOWS\system32\KDCOM.DLL
0xF8902000 \WINDOWS\system32\BOOTVID.dll
0xF83C3000 ACPI.sys
0xF89F4000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF83B2000 pci.sys
0xF84F2000 isapnp.sys
0xF8906000 compbatt.sys
0xF890A000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8ABA000 pciide.sys
0xF8772000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF89F6000 intelide.sys
0xF8502000 MountMgr.sys
0xF8393000 ftdisk.sys
0xF877A000 PartMgr.sys
0xF8512000 VolSnap.sys
0xF837B000 atapi.sys
0xF8522000 disk.sys
0xF8532000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF835B000 fltmgr.sys
0xF8349000 sr.sys
0xF82EC000 mfehidk.sys
0xF82D7000 drvmcdb.sys
0xF8542000 PxHelp20.sys
0xF82C0000 KSecDD.sys
0xF8233000 Ntfs.sys
0xF8206000 NDIS.sys
0xF81EC000 Mup.sys
0xF8702000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF89DE000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF79D5000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF79C1000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7999000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF884A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7975000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8852000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8712000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF791A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF8722000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78EB000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF8A28000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF885A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8862000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8732000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8A2A000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF8742000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8752000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF78C8000 \SystemRoot\system32\DRIVERS\ks.sys
0xF886A000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF8B08000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF78B4000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF8762000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF89EE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF789D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8562000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8572000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8872000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF788C000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8582000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7868000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF781D000 \SystemRoot\system32\drivers\mfefirek.sys
0xF887A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8882000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF85B2000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A32000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7797000 \SystemRoot\system32\DRIVERS\update.sys
0xF7AF6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF85C2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA6CC000 \SystemRoot\system32\drivers\sthda.sys
0xAA6A8000 \SystemRoot\system32\drivers\portcls.sys
0xF85E2000 \SystemRoot\system32\drivers\drmk.sys
0xAA5D6000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xAA4D9000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xAA429000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF888A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF85F2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF89AA000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8A3E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B6D000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A40000 \SystemRoot\System32\Drivers\Beep.SYS
0xF889A000 \SystemRoot\system32\drivers\ssrtln.sys
0xF88A2000 \SystemRoot\System32\drivers\vga.sys
0xF8A44000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A46000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF88AA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF88B2000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF89BA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA389000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA330000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA31D000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xAA2F7000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA2CF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA2AD000 \SystemRoot\System32\drivers\afd.sys
0xF8612000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA282000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA1EA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8632000 \SystemRoot\System32\Drivers\Fips.SYS
0xF8652000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF89DA000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF86F2000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA1D2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A56000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA3D4000 \SystemRoot\System32\drivers\Dxapi.sys
0xF87EA000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B93000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF041000 \SystemRoot\System32\ialmdev5.DLL
0xBF075000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF8602000 \SystemRoot\system32\drivers\drvnddm.sys
0xF8C08000 \SystemRoot\system32\dla\tfsndres.sys
0xAA07C000 \SystemRoot\system32\dla\tfsnifs.sys
0xAA1AA000 \SystemRoot\system32\dla\tfsnopio.sys
0xF8A5C000 \SystemRoot\system32\dla\tfsnpool.sys
0xF8802000 \SystemRoot\system32\dla\tfsnboio.sys
0xF8642000 \SystemRoot\system32\dla\tfsncofs.sys
0xF8C0A000 \SystemRoot\system32\dla\tfsndrct.sys
0xAA063000 \SystemRoot\system32\dla\tfsnudf.sys
0xAA04A000 \SystemRoot\system32\dla\tfsnudfa.sys
0xAA0BA000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAA0B6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9CFD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8A9A000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF8A9C000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xA9C2D000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9CD1000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA9B28000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9D9A000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9019000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8F2D000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA8DFC000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA9F7A000 \SystemRoot\system32\drivers\mfebopk.sys
0xF8A86000 \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
0xA86AD000 \SystemRoot\system32\drivers\kmixer.sys
0xF8892000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 62):
0 System Idle Process
4 System
1148 C:\WINDOWS\system32\smss.exe
1272 csrss.exe
1296 C:\WINDOWS\system32\winlogon.exe
1340 C:\WINDOWS\system32\services.exe
1352 C:\WINDOWS\system32\lsass.exe
1512 C:\WINDOWS\system32\svchost.exe
1596 svchost.exe
1632 C:\WINDOWS\system32\svchost.exe
1700 svchost.exe
1760 svchost.exe
452 C:\WINDOWS\explorer.exe
492 C:\WINDOWS\system32\WLTRYSVC.EXE
504 C:\WINDOWS\system32\BCMWLTRY.EXE
592 C:\WINDOWS\system32\spoolsv.exe
700 svchost.exe
764 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
780 C:\Program Files\Bonjour\mDNSResponder.exe
860 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
908 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
968 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
984 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
1124 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
1196 C:\WINDOWS\system32\svchost.exe
1276 wdfmgr.exe
1916 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
332 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
1796 wmiprvse.exe
2356 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2380 C:\WINDOWS\system32\hkcmd.exe
2388 C:\WINDOWS\system32\igfxpers.exe
2408 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
2424 C:\WINDOWS\stsystra.exe
2432 C:\WINDOWS\system32\WLTRAY.EXE
2448 C:\Program Files\Dell\QuickSet\quickset.exe
2456 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2480 C:\Program Files\Real\RealPlayer\realplay.exe
2496 C:\WINDOWS\system32\dla\tfswctrl.exe
2512 C:\WINDOWS\system32\igfxsrvc.exe
2600 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2616 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
2644 C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
2708 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
2908 C:\Program Files\iTunes\iTunesHelper.exe
3052 C:\Program Files\McAfee.com\Agent\mcagent.exe
3108 C:\Program Files\NetWaiting\netwaiting.exe
3288 C:\Program Files\DellSupport\DSAgnt.exe
3308 C:\WINDOWS\system32\wscntfy.exe
3336 C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
3384 C:\Program Files\MSN Messenger\msnmsgr.exe
3404 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3420 C:\Program Files\Digital Line Detect\DLG.exe
3432 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
3452 C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
3684 alg.exe
256 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
3156 C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
3668 C:\WINDOWS\system32\wuauclt.exe
3736 C:\Program Files\iPod\bin\iPodService.exe
1392 C:\WINDOWS\system32\ctfmon.exe
1588 C:\Documents and Settings\Tricia\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00fb0400 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGMP0402H, Rev: UC200-16

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


Done!

Hi,

How is your computer running now?

It is running great, no issues. Dare we say that we have victory?

Yep, you are all clean.

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE.

You now have a clean restore point.

To get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do a calculation of temporary/old files, and then display a dialogue box.
  
• Select the More Options Tab.
  
• At the bottom will be a System Restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done.

========

Removing the tools

Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

============

Service Pack upgrade

Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: Here

============

Update Programs

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

===============

Staying Protected

If you don't have a Anti-Virus I recommend to download these free Anti-Virus programs:
1. Avast!
2. Avira
3. Microsoft Security Essentials

If you don't have a good firewall I recommend these free firewalls:
1. Comodo Firewall
2. Tallemu Online Armor

I recommend using MalwareBytes Anti-Malware for a anti-malware program.

If you don't have a anti-spyware I recommend to download these free programs to help keep you spyware free:
1. SpywareBlaster
2. Spybot - Search & Destroy

Please don't download more than one Anti-virus, firewall, or anti-spyware because they will conflict with each other making your computer slow, data loss, and false results so please just don't do it.

================

Here are some prevention tips:

1. Torrents are a conduit of malware; this is why we highly recommend not using them as chances are extremely high that you will be infected from them.

2. Cracks/warez/keygens are another conduit of malware and are illegal so don't use them.

3. Disable auto-run to prevent auto-run worms from infecting your machine through USB drives.XP or Vista/7

4. Always make sure you have the latest Windows update.

5. Use a Site Advisor so you don't go to sites that will infect you. Web-of-Trust or Mcafee Siteadvisor

6. Also there are many holes and flaws in Internet Explorer I recommend using Firefox or Google Chrome to keep you more safe.

7. Always keep your Java and Adobe Reader updated and all older versions removed to keep clear from exploits.

8. Don't fall for Scareware. What is Scareware? A rogue anti-virus on your system that will scare you into buying their fake software due to false detections.

9. Be sure to always have a firewall and anti-virus installed at all times.

Thanks for choosing GeekPolice, see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information on keeping yourself safe please visit Here

Thank you so much for helping me with this. Your service is invaluable and I really appreciate it. Thank you again.

You're welcome, glad to help.