I was a Spybot user for years until I tried the McAfee Anti-Virus Software (If you call it that)with my DSL service. It found after the fact ZeroAccess. As you know you have to un-install Spybot to run McAfee. So, now ZeroAccess or whatever else is on this PC is blocking McAfee and Windows Firewall. I reloaded Spybot but it didn't find all the problems. Hense I'm am here for help.
Attached is my DDS Report.
Thanks,
Jack

Ok, I see DDS is screwed up.

Here's My Attact.Zip and DDS report:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jack at 15:36:58 on 2012-06-11
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120502063618.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\adxprod.lnk - m:\xcel\AdxProd.xls
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\codeme~1.lnk - c:\program files\codemeter\runtime\bin\CodeMeterCC.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office Outlook 2007.lnk.disabled
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F6C99A06-8442-4196-B396-5CA6B6360D60} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
.scr=DWGTrueViewScriptFile
.
=============== Created Last 30 ================
.
2012-06-11 17:45:10 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b01b6ff-8e09-443c-be04-54d852869568}\offreg.dll
2012-06-11 17:44:52 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b01b6ff-8e09-443c-be04-54d852869568}\MpKslcce9a6c4.sys
2012-06-11 14:41:30 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b01b6ff-8e09-443c-be04-54d852869568}\mpengine.dll
2012-06-11 14:41:30 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-06-11 14:37:16 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-07 12:18:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-06-07 12:18:47 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-01 14:22:39 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2012-06-01 14:22:39 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2012-05-30 13:15:01 -------- d-----w- c:\documents and settings\jack\local settings\application data\Temp
2012-05-30 13:10:36 -------- d-----w- c:\documents and settings\jack\local settings\application data\Google
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-07 11:53:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-07 11:53:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-21 01:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-20 18:11:32 151880 ----a-w- c:\windows\system32\mfevtps.exe
2001-08-23 11:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 04:42:08 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 04:42:02 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 04:42:02 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 04:42:02 343040 --sh--w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 04:42:04 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 04:42:34 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST350041 rev.CC38 -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll ACPI.sys SCSIPORT.SYS nvgts.sys
c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft(R) Windows NT(R) Operating System
c:\windows\system32\drivers\nvgts.sys NVIDIA Corporation NVIDIA nForce(TM) SATA Driver
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk1\DR1[0x8B62A030]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> [0x8B5CF248]
5 iomdisk[0xBA340BC3] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006b[0x8B610920]
7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8B63C030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 15:37:43.37 ===============

Hi jm1223, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR.exe to run it. If asked to download Avast's database please do so.

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Thanks,
Here's the report. I see it found something in an old update file for my cad program.
I plan to be out of town tomorrow thur monday so there might be a delay in my replies.


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-14 10:45:29
-----------------------------
10:45:29.812 OS Version: Windows 5.1.2600 Service Pack 3
10:45:29.812 Number of processors: 2 586 0x602
10:45:29.812 ComputerName: ALPHA2 UserName: Jack
10:45:33.406 Initialize success
10:48:01.562 AVAST engine defs: 12061400
10:48:46.625 Disk 0 \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
10:48:46.625 Disk 0 Vendor: ST350041 CC38 Size: 476940MB BusType: 3
10:48:46.625 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0
10:48:46.625 Disk 1 Vendor: ST350041 CC38 Size: 476940MB BusType: 3
10:48:46.625 Disk 2 \Device\Harddisk2\DR4 -> \Device\0000007a
10:48:46.625 Disk 2 Vendor: Size: 476940MB BusType: 0
10:48:46.640 Disk 1 MBR read successfully
10:48:46.640 Disk 1 MBR scan
10:48:46.656 Disk 1 Windows XP default MBR code
10:48:46.656 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
10:48:46.671 Disk 1 scanning sectors +976752000
10:48:46.750 Disk 1 scanning C:\WINDOWS\system32\drivers
10:49:05.453 Service scanning
10:49:23.734 Service MpKsl531041bb C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B01B6FF-8E09-443C-BE04-54D852869568}\MpKsl531041bb.sys **LOCKED** 32
10:49:32.843 Modules scanning
10:49:37.203 Disk 1 trace - called modules:
10:49:37.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll ACPI.sys SCSIPORT.SYS nvgts.sys
10:49:37.218 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b39dab8]
10:49:37.218 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8b39d020]
10:49:37.218 5 iomdisk.sys[ba340bc3] -> nt!IofCallDriver -> \Device\0000006c[0x8b436968]
10:49:37.218 7 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8b435a38]
10:49:41.968 AVAST engine scan C:\WINDOWS
10:49:56.484 AVAST engine scan C:\WINDOWS\system32
10:54:35.484 AVAST engine scan C:\WINDOWS\system32\drivers
10:55:06.406 AVAST engine scan C:\Documents and Settings\Jack
11:10:42.421 AVAST engine scan C:\Documents and Settings\All Users
11:11:53.468 File: C:\Documents and Settings\All Users\Documents\DCad97Update.exe **INFECTED** Win32:CIH-G@dam
11:12:17.515 Scan finished successfully
11:12:44.812 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Jack\Desktop\MBR.dat"
11:12:44.828 The log file has been saved successfully to "C:\Documents and Settings\Jack\Desktop\aswMBR.txt"

Hi jm1223,

Thanks for letting me know.


Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)or Link 2 (http://www.infospyware.net/antimalware/combofix/) to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".

During the download, before you save it to your desktop, rename Combofix to jgh.exe


It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix



-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
combofix log
How is the computer?

Thanks

Hi jm1223,

Still with us?

I'm here, as I noted in my last post I was away for the weekend.
I will see how my PC works today and let you know.
Attached is the ComboFix Log
Thanks for the help.


ComboFix 12-06-15.06 - Jack 06/18/2012 7:15.1.2 - x86
Running from: c:\documents and settings\Jack\Desktop\jgh.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Jack\WINDOWS
c:\windows\desktop
c:\windows\desktop\WatView.lnk
c:\windows\system32\SET68C.tmp
c:\windows\system32\SET68D.tmp
c:\windows\system32\SET68E.tmp
c:\windows\system32\UNWISE.EXE
E:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-17 17:11 . 2012-06-17 17:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0B2676B3-801E-47C9-A3BA-9AC3C9E9BB9B}\offreg.dll
2012-06-17 17:11 . 2012-06-17 17:11 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0B2676B3-801E-47C9-A3BA-9AC3C9E9BB9B}\MpKsl3f62bde3.sys
2012-06-17 11:54 . 2012-05-15 06:43 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0B2676B3-801E-47C9-A3BA-9AC3C9E9BB9B}\mpengine.dll
2012-06-13 13:09 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2012-06-13 13:09 . 2012-06-13 13:09 -------- d-----w- c:\program files\McAfee Online Backup
2012-06-13 13:08 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2012-06-13 13:08 . 2012-06-13 13:08 -------- d-----w- c:\documents and settings\Jack\Local Settings\Application Data\McAfee Anti-Theft
2012-06-13 13:08 . 2012-02-22 18:29 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-13 13:07 . 2012-02-22 18:29 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-06-13 13:07 . 2012-02-22 18:29 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-13 13:07 . 2012-02-22 18:29 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-06-13 13:07 . 2012-02-22 18:29 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-13 13:07 . 2012-02-22 18:29 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-13 13:07 . 2012-02-22 18:29 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-13 13:07 . 2012-02-22 18:29 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-13 13:07 . 2012-06-13 13:08 -------- d-----w- c:\program files\Common Files\Mcafee
2012-06-13 13:07 . 2012-06-13 13:08 -------- d-----w- c:\program files\McAfee
2012-06-13 12:53 . 2012-03-20 18:11 151880 ----a-w- c:\windows\system32\mfevtps.exe
2012-06-13 12:10 . 2012-06-13 12:10 -------- d-----w- c:\documents and settings\Jack\Application Data\pchc
2012-06-12 15:57 . 2012-06-12 15:57 -------- d-----w- c:\documents and settings\Jack\Application Data\FixZeroAccess
2012-06-11 14:41 . 2012-05-15 06:43 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-11 14:41 . 2012-02-23 15:18 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-06-11 14:37 . 2012-06-11 14:37 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-07 12:18 . 2012-06-07 12:18 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-01 14:22 . 2008-04-14 05:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2012-06-01 14:22 . 2008-04-14 05:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2012-05-30 13:15 . 2012-05-30 13:48 -------- d-----w- c:\documents and settings\Jack\Local Settings\Application Data\Temp
2012-05-30 13:15 . 2012-05-30 13:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2012-05-30 13:10 . 2012-05-30 13:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2012-05-30 13:10 . 2012-05-30 13:12 -------- d-----w- c:\documents and settings\Jack\Local Settings\Application Data\Google
2012-05-30 13:10 . 2012-05-30 13:11 -------- d-----w- c:\program files\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2008-04-14 04:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-07 11:53 . 2012-04-11 15:28 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-07 11:53 . 2011-05-17 11:48 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2008-04-13 23:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-04-14 00:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-21 01:44 . 2012-03-21 01:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2001-08-23 11:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 04:42 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 04:42 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 04:42 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 04:42 343040 --sh--w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 04:42 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 04:42 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-01-18 160328]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1318816]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
c:\documents and settings\Jack\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - e:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
AdxProd.lnk - m:\xcel\AdxProd.xls [2012-6-18 796160]
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2010-12-8 845584]
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2010-12-8 60416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - e:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
CodeMeter Control Center.lnk - c:\program files\CodeMeter\Runtime\bin\CodeMeterCC.exe [2011-7-6 6904208]
Microsoft Office Outlook 2007.lnk.disabled [2012-6-11 2533]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2007-09-27 07:17 90112 -c----w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
"HPHmon03"=c:\windows\system32\hphmon03.exe
"Iomega Drive Icons"=e:\program files\Iomega\DriveIcons\ImgIcon.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-05-30 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 257696]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-06 1684736]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-05-30 136176]
R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2012-02-22 83856]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 87656]
R3 PaUSB;Panasonic LightPix USB Driver Ver.1.0;c:\windows\system32\Drivers\pausb.sys [2004-12-04 12416]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-04-11 64048]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2001-08-17 17792]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-02-22 89792]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-14 54776]
S1 MpKsl3f62bde3;MpKsl3f62bde3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0B2676B3-801E-47C9-A3BA-9AC3C9E9BB9B}\MpKsl3f62bde3.sys [2012-06-17 29904]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2011-07-06 2304912]
S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
S2 HLServer;HL-Server;c:\windows\system32\HLS32SVC.EXE [2003-12-03 327680]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 161632]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-03-20 151880]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-14 229688]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 57600]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 340920]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2012-02-22 83856]
S3 NmPar;PCI Parallel Port;c:\windows\system32\DRIVERS\NmPar.sys [2008-12-24 80256]
S3 nmserial;PCI Serial Port;c:\windows\system32\DRIVERS\nmserial.sys [2008-12-16 70016]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL3F62BDE3
*NewlyCreated* - MPKSL658C6B1A
*Deregistered* - mfeavfk01
*Deregistered* - MpKsl658c6b1a
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Adobe Acrobat 6.0 Standard.job
- c:\documents and settings\All Users\Start Menu\Programs\Adobe Acrobat 6.0 Standard.lnk [2010-12-09 11:26]
.
2012-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 11:53]
.
2012-06-08 c:\windows\Tasks\AdxProd.job
- m:\xcel\AdxProd.xls [2012-06-18 12:19]
.
2012-06-04 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-14 04:42]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-30 13:10]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-30 13:10]
.
2012-06-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
2012-06-08 c:\windows\Tasks\Outlook Express.job
- c:\progra~1\OUTLOO~1\msimn.exe [2010-12-09 04:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.1
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE
AddRemove-Hardlock Server - c:\windows\system32\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-18 07:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST350041 rev.CC38 -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2012-06-18 07:23:22
ComboFix-quarantined-files.txt 2012-06-18 12:23
.
Pre-Run: 475,544,244,224 bytes free
Post-Run: 476,588,912,640 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 1669E0051B8038AC67BE328D8B662C4B

My PC seems to be running good now. Allot faster with programs and the Internet is back to normal. The only quirk I have is when I got infected it blocked the Window Security with the Firewall and Restore would not start. Well Restore still will not start and it still said: “System Restore is not protecting your computer. Please restart your computer, and then run System Restore again.”
I rebooted a couple times with no luck. I do see that CF added a Restore
when you do a F8 start but not sure if one in the same.

Any thoughts there?

Hi jm1223,

Sorry about that, I forgot you mentiond it.

Please download Farbar Service Scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and save it to the Desktop.
Check the boxes beside these items
Internet Services
System Restore
Windows Firewall
Security Center/Action Center
Windows Updates

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.


Please post back with the
FSS log

Here's the FSS Report.
Thanks again.

Farbar Service Scanner Version: 19-06-2012
Ran by Jack (administrator) on 19-06-2012 at 06:50:29
Running from "C:\Documents and Settings\Jack\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Dnscache registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Dnscache registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Dnscache registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
EventSystem Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Hi jm1223,

That showed some of the problems. Let's see if there are any others before we attempt to fix this.

I need you to create a batch file.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad.
Do Not copy the word CODE


@echo off
swreg query hklm\system\currentcontrolset\services /s |(
SED -r "/^HK|^ +ImagePath.*-k netsvcs/I!d" |(
SED -r ":a; $!N;s/\n.*\t.*/\t/;ta;P;D" |(
SED -r "/.*\\(.*)\t/!d; s//\1/"
)))>net.txt
Start Notepad Log.txt

In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "net.bat"
Click save


You will have a new file on your desktop called myfix.bat with an icon that looks like this http://forums.whatthetech.com/index.php?act=attach&type=post&id=12470


Double click net.bat to run it. A notepad named net.txt will open, please post it's contents.

I found another issue today which is other PC's can't see this PC's on my network and the Network tools won't run. But I can see the other PC's and open files also I can print to my network printer.

Here's the net.txt:

AppMgmt
AudioSrv
BITS
Browser
CryptSvc
Dhcp
dmserver
ERSvc
FastUserSwitchingCompatibility
helpsvc
HidServ
hkmsvc
LanmanServer
lanmanworkstation
Messenger
napagent
Nla
NtmsSvc
RasAuto
RasMan
RemoteAccess
Schedule
seclogon
SharedAccess
ShellHWDetection
srservice
TapiSrv
Themes
TrkWks
W32Time
winmgmt
Wmi
wscsvc
wuauserv
WZCSVC
xmlprov

jm1223,

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and transfer it to the sisck computer's desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.An additional log called Attach.txt should appear minimized on the task bar.
Save both reports to your desktop before closing the DDS window.


Do the same with SystemLook from one of the links below
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield
Do not copy the word CODE , please note the script starts with the :

:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

I wasn't sure if you needed the McAfee and TeaTimer turned off. So they are on.

Here's the DDS Report with the attached Attach.zip. and the SystemLook Report:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jack at 7:34:43 on 2012-06-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3039.2347 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\HLS32SVC.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeterCC.exe
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120613115349.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\adobea~1.lnk - e:\program files\adobe\acrobat 6.0\acrobat\Acrobat.exe
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\adxprod.lnk - m:\xcel\AdxProd.xls
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90120000-0030-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\jack\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\codeme~1.lnk - c:\program files\codemeter\runtime\bin\CodeMeterCC.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office Outlook 2007.lnk.disabled
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F6C99A06-8442-4196-B396-5CA6B6360D60} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2012-6-13 64048]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 464304]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2010-12-15 17792]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2010-12-8 13696]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-6-13 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2012-6-13 54776]
R1 MpKsl67e1f605;MpKsl67e1f605;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKsl67e1f605.sys [2012-6-20 29904]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\codemeter\runtime\bin\CodeMeter.exe [2011-7-6 2304912]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 HLServer;HL-Server;c:\windows\system32\HLS32SVC.EXE [2010-12-9 327680]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-6-13 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-6-13 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-6-13 151880]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-6-13 57600]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2010-12-16 18864]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-6-13 180848]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-6-13 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-6-13 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-6-13 83856]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2010-12-8 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2010-12-8 70016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-5-30 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-12-8 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-5-30 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-6-13 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-6-13 87656]
S3 PaUSB;Panasonic LightPix USB Driver Ver.1.0;c:\windows\system32\drivers\pausb.sys [2010-12-15 12416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
UnknownUnknown MpKslb6704a0f;MpKslb6704a0f; [x]
.
=============== File Associations ===============
.
.scr=DWGTrueViewScriptFile
.
=============== Created Last 30 ================
.
2012-06-20 11:52:32 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKsl67e1f605.sys
2012-06-20 11:47:33 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\offreg.dll
2012-06-20 11:47:05 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKslb6704a0f.sys
2012-06-20 11:27:48 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKslfe0dfddc.sys
2012-06-19 17:14:20 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\mpengine.dll
2012-06-19 16:49:15 5904 ----a-w- c:\windows\system32\Autoexnt.exe
2012-06-19 16:49:15 2364 ----a-w- c:\windows\system32\1.reg
2012-06-19 16:49:15 2320 ----a-w- c:\windows\system32\Servmess.dll
2012-06-19 16:49:15 175 ----a-w- c:\windows\system32\Autoexnt.bat
2012-06-19 16:49:14 34064 ----a-w- c:\windows\system32\Instexnt.exe
2012-06-18 16:35:23 6737808 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-06-18 13:14:31 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-18 12:14:04 -------- d-sha-r- C:\cmdcons
2012-06-18 12:09:30 518144 ----a-w- c:\windows\SWREG.exe
2012-06-18 12:09:30 256000 ----a-w- c:\windows\PEV.exe
2012-06-18 12:09:30 208896 ----a-w- c:\windows\MBR.exe
2012-06-18 12:09:29 98816 ----a-w- c:\windows\sed.exe
2012-06-13 13:10:02 -------- d-----w- c:\program files\McAfeeMOBK
2012-06-13 13:09:52 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2012-06-13 13:09:39 -------- d-----w- c:\program files\McAfee Online Backup
2012-06-13 13:08:54 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2012-06-13 13:08:46 -------- d-----w- c:\documents and settings\jack\local settings\application data\McAfee Anti-Theft
2012-06-13 13:08:03 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-13 13:07:58 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-06-13 13:07:58 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-13 13:07:58 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-06-13 13:07:58 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-13 13:07:58 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-13 13:07:58 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-13 13:07:58 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-13 13:07:56 -------- d-----w- c:\program files\common files\Mcafee
2012-06-13 13:07:55 -------- d-----w- c:\program files\McAfee.com
2012-06-13 13:07:43 -------- d-----w- c:\program files\McAfee
2012-06-13 12:53:59 151880 ----a-w- c:\windows\system32\mfevtps.exe
2012-06-13 12:10:45 -------- d-----w- c:\documents and settings\jack\application data\pchc
2012-06-12 15:57:35 -------- d-----w- c:\documents and settings\jack\application data\FixZeroAccess
2012-06-11 14:41:30 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-06-11 14:37:16 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-07 12:18:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-06-07 12:18:47 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-01 14:22:39 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2012-06-01 14:22:39 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2012-05-30 13:15:01 -------- d-----w- c:\documents and settings\jack\local settings\application data\Temp
2012-05-30 13:10:36 -------- d-----w- c:\documents and settings\jack\local settings\application data\Google
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-07 11:53:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-07 11:53:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2001-08-23 11:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 04:42:08 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 04:42:02 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 04:42:02 413696 --sh--w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 04:42:34 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST350041 rev.CC38 -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll ACPI.sys SCSIPORT.SYS nvgts.sys
c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft(R) Windows NT(R) Operating System
c:\windows\system32\drivers\nvgts.sys NVIDIA Corporation NVIDIA nForce(TM) SATA Driver
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk1\DR1[0x8B42E810]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> [0x8B42ED78]
5 iomdisk[0xBA340BC3] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006f[0x8B3E1808]
7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8B3E1A38]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 7:35:35.73 ===============




SystemLook 30.07.11 by jpshortstuff
Log created at 07:40 on 20/06/2012 by Jack
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter"="HTTPFilter"
"LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
"NetworkService"="DnsCache"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov napagent hkmsvc BITS wuauserv ShellHWDetection helpsvc WmdmPmSN"
"DcomLaunch"="DcomLaunch TermService"
"rpcss"="RpcSs"
"eapsvcs"="eaphost"
"dot3svc"="dot3svc"
"imgsvc"="StiSvc"
"termsvcs"="TermService"
"WudfServiceGroup"="WUDFSvc"
"WINRM"="WINRM"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]


-= EOF =-

Hi jm1223,

Download the attached zip file, fix.zip and save it to your desktop. Extract the contents to your desktop.

You should now have a file on your desktop named myfix.reg with an icon like this http://img127.imageshack.us/img127/433/regtg8.jpg

Right click the file and click merge. Accept any warnings.

Reboot your computer. Are any of the issues still present?

Rerun Farbar Service Scanner with the same settings as before and post the log.

Thanks

No change I can see. The Network Connects won't display and when you refresh you get: Please make sure that the Network Connections Service is enabled and running.
Also the Network Connection Wizard will not start.

The Windows Firewall is on but if you double click on it you get: Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Service.

Attach is the lastest FSS Report:


Farbar Service Scanner Version: 19-06-2012
Ran by Jack (administrator) on 21-06-2012 at 07:27:19
Running from "C:\Documents and Settings\Jack\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Hi jm1223,

Seems I missed adding one to the last fix you ran. Download the attached zip file and run it the same way you ran the last one. When you extract the contents the file will be named netman.reg


After you have completed the above do this. Click start > run. In the run box copy and paste the following and hit enter

services.msc

When th services console opens scroll down to System Restore Service
right click on it and click properties
in the service status box click the start button
What error if any, do you recieve?

System Restore Service is not there.

I ran a FSS report if it helps.

Farbar Service Scanner Version: 19-06-2012
Ran by Jack (administrator) on 21-06-2012 at 12:56:42
Running from "C:\Documents and Settings\Jack\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Hi jm1223,

Let's give this one more shot. Download the attached zip. Extract the contents. the extracted contents is a file named netman1.reg Merge it like you did before and reboot. Windows Firewall/Internet Connection Sharing (ICS) Service ok now?

After the reboot please rerun FSS.

In services.msc please tell me what is in the services that start with S

Thanks

Now were getting somewhere. Network Connections are back and I could Run the Network Connection Wizard. The Window Firewall will open now too.
Just the Systerm Restore with not open. Here is the list of "S" services I have:
Secondary Logon: Started
Security Accounts Manager: Started
Sentinel HASP License Manager: Started
Server: Started
Shell Hardware Detection: Started
Smart Card: Manual
SSDP Discovery Service: Started


Here is the latest FSS Report:


Farbar Service Scanner Version: 19-06-2012
Ran by Jack (administrator) on 22-06-2012 at 07:33:21
Running from "C:\Documents and Settings\Jack\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Hi jm1223,


AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
You have mulitple antivirus programs running. This will lead to conflicts between the 2 and leave you with less protection. Since McAfee is a paid for program and seems current please uninstall Microsoft Security Essentials

Open FSS
in the Search box copy and paste Srservice
click the Export Service button
Please post the log.

Microsoft Security Essentials Uninstalled and the FSS Report:

After I got the FSS Report I rebooted. Restore still don't open but maybe you know that.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Srservice]
"Type"=dword:00000020
"Start"=dword:00000002
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Srservice\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Srservice\Enum]
"0"="Root\\LEGACY_SRSERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Hi jm1223,

The srvic seems to be damaged. Download the attached zip file and extract it's contents. The extracted file is named srservice.reg. Right click it and merge it like you did with the others.

Reboot the computer. Does System Restore Service now appear in services.msc? If it does right click it and click properties. Make sure the service status is running.

I don't seem to have the attachment.

Hi jm1223,

I don't see it there either. I'm sure I attached it. I'll post it as soon as I get home, in about 2 hours.

Hi jm1223,

Here you go.

You got it, It's back.
Thank you for your help. :bigthumb:

Hi jm1223,

Good. Is the service status of System Restore running?

Let's take care of any remnants if there are any.

Your java is out of date. Click your start button, open Control panel.
Locate the Java icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now
Decline any toolbars offered during the update.

After the java is updated, reboot your computer if not prompted to.

Next

Download and save to your desktop Malwarebytes Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean


One more scan to check for stragglers.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)


Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

Push the back button.
Push Finish
Re-enable your Antivirus software.


Please post back with
MBAM log
ESET log if there was one
Any issues?

The System Restore is running. ESET Found No threats.
I think we got it all. I see MBAM starts up on reboot. Should I let this run?
Thanks again.

Here is the MBAM Report:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.26.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jack :: ALPHA2 [administrator]

Protection: Enabled

6/26/2012 8:48:13 AM
mbam-log-2012-06-26 (08-48-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247741
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hi jm1223,


I see MBAM starts up on reboot. Should I let this run?
You have the Trial version of MBAM and most likely clicked the button to activate it. The trial version will run with all the features of the paid version for 30 days (I think) after which time it will revert to the free version. The free version does not have real time scanning but is a good program to have.

You can allow MBAM to run during the trial period. You may find that like the program and wish to purchase it. It is very reasonably priced and the fee is a one time fee. Either way I recommend that you keep the program, keep it updated and run a scan on a weekly basis.

Please note that MBAM is not a replacement for your antivirus program but rather it is a compliment to it.

From the logs it does appear we have your computer cleaned up. We can now clean up the tools we used.

From your desktop, please delete, if present
any notepads/logs that we created
DDS
mbr.zip
mbr.dat
aswMBR.exe
FSS
net.bat
net.txt
SystemLook
fix.zip
myfix.reg
fix1.zip
netman.reg
fix2.zip
netman1.reg
fix3.zip
srservice.reg


Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall

I suggest you keep MBAM. Keep it updated and use it regularly.

You can also keep TFC, it's a very good temporary file cleaner.

Updates

Adobe Acrobat and Adobe Reader

You have an older version of Adobe installed. The Adobe Reader portion of the program is vulnerable to exploits. If you do not use Adobe Acrobat for creating PDF files you can uninstall the complete program. It must be uninstalled in starting with the latest update and work backwards.

Adobe Acrobat and Reader 6.0.6 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard

You do have the current version of Adobe Reader, Adobe Reader X (10.1.3), installed. Uninstalling the old version will not effect it. However if you have saved any PFD files in the older versions folders you should move then to a different folder before uninstalling.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have those.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE (http://forums.whatthetech.com/Preventing_Malware_Tools_Practices_Safe_Computing_t98700.html)

Please post back if you have any problems.

Take care

Since this issue appears to be resolved ... this Topic has been closed.