TechSpot

Help with rootkey virus - following the 7 steps

Inactive
By SCmember
Jun 6, 2011
Topic Status:
Not open for further replies.
  1. I have picked up a nasty virus that AVAST is calling rootkey - the error msg is:

    MBR:\\.\PhysicalDrive0

    I have obviously attempted antivirus scans, bootscans, malware scans to no avail. Coming across your forum and the 7-step Viruses/Spyware/Malware Preliminary Removal Instructions, I am now hoping to find the help I need here.

    I have completed STEPS 1, 2 & 3, pasting my GMER log below.



    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-06 11:37:00
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDS721075KLA330 rev.GK8OA97A
    Running: gmer.exe; Driver: C:\DOCUME~1\owner\LOCALS~1\Temp\kxtdapoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA0751BF2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA0751A5D]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA07A9902]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A5FF53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A5FF53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A5FF53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A5FF53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A5FF53B
    Device aswSP.SYS (avast! self protection module/AVAST Software)
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
  2. SCmember

    SCmember TS Rookie Topic Starter

    dds.log and attach.log

    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Run by owner at 11:52:51 on 2011-06-06
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2656 [GMT -4:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Vid HD\Vid.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Encore\Common\RaUI.exe
    C:\Program Files\Encore\Common\RegistryWriter.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\encore~1.lnk - c:\program files\encore\common\RaUI.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: Free YouTube Download - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    TCP: Interfaces\{0D9932C2-E208-431B-A4D8-83AC2A2D47CC} : DhcpNameServer = 192.168.2.1
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Notify: igfxcui - igfxdev.dll
    Notify: itlntfy - itlnfw32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 64.34.212.90 www.google.com
    Hosts: 64.34.212.90 www.google.com.au
    Hosts: 64.34.212.90 www.google.be
    Hosts: 64.34.212.90 www.google.com.br
    Hosts: 64.34.212.90 www.google.ca
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\hm48fgqk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - search
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60283
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\hm48fgqk.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
    FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-5 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-5 307928]
    R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2011-2-19 1872320]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-5 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-5 42184]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2010-5-16 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2010-5-16 49152]
    R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\encore\common\RegistryWriter.exe [2010-5-13 75040]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-5-16 246936]
    S0 cerc6;cerc6; [x]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-9 136176]
    S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-13 14336]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-13 1684736]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-9 136176]
    S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-5-13 16512]
    S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-5-13 719616]
    .
    =============== Created Last 30 ================
    .
    2011-05-18 11:18:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-15 01:07:27 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-05-15 01:07:26 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-05-15 01:07:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-05-15 01:07:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    .
    ==================== Find3M ====================
    .
    2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HDS721075KLA330 rev.GK8OA97A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5FF6F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a605a10]; MOV EAX, [0x8a605a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A680AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000068[0x8A6E7508]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A63E940]
    \Driver\atapi[0x8A6A8A08] -> IRP_MJ_CREATE -> 0x8A5FF6F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A5FF53B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 11:54:33.95 ===============





    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/13/2010 12:55:18 PM
    System Uptime: 6/6/2011 9:35:50 AM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0G679R
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2792/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 699 GiB total, 682.545 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP151: 3/8/2011 5:27:47 PM - Installed Windows KB954550-v5.
    RP152: 3/8/2011 5:27:52 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP153: 3/8/2011 5:27:59 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP154: 3/9/2011 3:00:12 AM - Software Distribution Service 3.0
    RP155: 3/10/2011 3:00:12 AM - Software Distribution Service 3.0
    RP156: 3/11/2011 3:00:16 AM - Software Distribution Service 3.0
    RP157: 3/12/2011 3:29:02 AM - System Checkpoint
    RP158: 3/13/2011 4:29:16 AM - System Checkpoint
    RP159: 3/14/2011 5:29:16 AM - System Checkpoint
    RP160: 3/15/2011 8:40:14 AM - System Checkpoint
    RP161: 3/16/2011 3:00:12 AM - Software Distribution Service 3.0
    RP162: 3/17/2011 3:01:12 AM - System Checkpoint
    RP163: 3/18/2011 3:58:51 AM - System Checkpoint
    RP164: 3/19/2011 4:58:55 AM - System Checkpoint
    RP165: 3/20/2011 4:59:03 AM - System Checkpoint
    RP166: 3/21/2011 5:59:03 AM - System Checkpoint
    RP167: 3/22/2011 6:47:03 AM - System Checkpoint
    RP168: 3/23/2011 8:18:25 AM - System Checkpoint
    RP169: 3/23/2011 2:11:00 PM - Installed Windows Media Player 11
    RP170: 3/23/2011 2:11:28 PM - Software Distribution Service 3.0
    RP171: 3/24/2011 3:00:12 AM - Software Distribution Service 3.0
    RP172: 3/25/2011 3:18:31 AM - System Checkpoint
    RP173: 3/26/2011 4:18:31 AM - System Checkpoint
    RP174: 3/27/2011 4:35:14 AM - System Checkpoint
    RP175: 3/28/2011 5:35:14 AM - System Checkpoint
    RP176: 3/29/2011 6:35:14 AM - System Checkpoint
    RP177: 3/30/2011 7:33:56 AM - System Checkpoint
    RP178: 3/31/2011 9:55:48 AM - System Checkpoint
    RP179: 4/1/2011 10:33:56 AM - System Checkpoint
    RP180: 4/3/2011 11:04:16 PM - System Checkpoint
    RP181: 4/4/2011 11:15:49 PM - System Checkpoint
    RP182: 4/5/2011 3:12:54 PM - Installed AVG 2011
    RP183: 4/5/2011 3:16:04 PM - Installed AVG 2011
    RP184: 4/5/2011 3:16:16 PM - Removed AVG 2011
    RP185: 4/5/2011 3:26:52 PM - Installed AVG 2011
    RP186: 4/5/2011 3:34:19 PM - Installed AVG 2011
    RP187: 4/5/2011 3:34:31 PM - Removed AVG 2011
    RP188: 4/5/2011 3:48:06 PM - Removed Symantec AntiVirus
    RP189: 4/5/2011 4:24:39 PM - avast! Free Antivirus Setup
    RP190: 4/5/2011 5:32:23 PM - Restore Operation
    RP191: 4/5/2011 6:55:12 PM - Removed Ask Toolbar.
    RP192: 4/5/2011 6:57:58 PM - Removed Skype Toolbars
    RP193: 4/5/2011 6:58:23 PM - Removed Symantec AntiVirus
    RP194: 4/5/2011 7:13:38 PM - avast! Free Antivirus Setup
    RP195: 4/6/2011 7:38:06 PM - System Checkpoint
    RP196: 4/7/2011 8:38:03 PM - System Checkpoint
    RP197: 4/8/2011 10:56:03 PM - System Checkpoint
    RP198: 4/9/2011 11:38:02 PM - System Checkpoint
    RP199: 4/11/2011 1:51:03 AM - System Checkpoint
    RP200: 4/12/2011 1:56:48 AM - System Checkpoint
    RP201: 4/13/2011 1:57:04 AM - System Checkpoint
    RP202: 4/14/2011 3:00:13 AM - Software Distribution Service 3.0
    RP203: 4/15/2011 3:00:16 AM - Software Distribution Service 3.0
    RP204: 4/16/2011 3:23:59 AM - System Checkpoint
    RP205: 4/17/2011 4:23:59 AM - System Checkpoint
    RP206: 4/18/2011 5:23:59 AM - System Checkpoint
    RP207: 4/19/2011 6:38:29 AM - System Checkpoint
    RP208: 4/20/2011 6:57:43 AM - System Checkpoint
    RP209: 4/21/2011 7:49:18 AM - System Checkpoint
    RP210: 4/22/2011 10:02:19 AM - System Checkpoint
    RP211: 4/25/2011 9:10:39 AM - System Checkpoint
    RP212: 4/26/2011 9:59:17 AM - System Checkpoint
    RP213: 4/27/2011 11:02:36 AM - System Checkpoint
    RP214: 4/28/2011 3:00:12 AM - Software Distribution Service 3.0
    RP215: 4/29/2011 3:58:24 AM - System Checkpoint
    RP216: 4/30/2011 4:58:24 AM - System Checkpoint
    RP217: 5/1/2011 5:02:15 AM - System Checkpoint
    RP218: 5/2/2011 6:02:15 AM - System Checkpoint
    RP219: 5/3/2011 7:02:15 AM - System Checkpoint
    RP220: 5/3/2011 9:31:29 PM - Removed Skype™ 5.1
    RP221: 5/4/2011 9:47:27 PM - System Checkpoint
    RP222: 5/5/2011 9:50:42 PM - System Checkpoint
    RP223: 5/7/2011 8:47:23 AM - Restore Operation
    RP224: 5/8/2011 9:04:30 AM - System Checkpoint
    RP225: 5/9/2011 9:13:36 AM - System Checkpoint
    RP226: 5/10/2011 9:20:15 AM - System Checkpoint
    RP227: 5/11/2011 9:22:59 AM - System Checkpoint
    RP228: 5/12/2011 12:57:25 PM - System Checkpoint
    RP229: 5/13/2011 1:25:31 PM - System Checkpoint
    RP230: 5/14/2011 2:00:49 PM - System Checkpoint
    RP231: 5/15/2011 3:00:49 PM - System Checkpoint
    RP232: 5/16/2011 4:06:49 PM - System Checkpoint
    RP233: 5/17/2011 5:44:15 PM - System Checkpoint
    RP234: 5/18/2011 5:46:08 PM - System Checkpoint
    RP235: 5/20/2011 9:10:29 AM - System Checkpoint
    RP236: 5/21/2011 10:51:01 AM - System Checkpoint
    RP237: 5/22/2011 11:43:40 AM - System Checkpoint
    RP238: 5/23/2011 12:43:40 PM - System Checkpoint
    RP239: 5/24/2011 1:43:40 PM - System Checkpoint
    RP240: 5/25/2011 1:43:52 PM - System Checkpoint
    RP241: 5/26/2011 2:43:52 PM - System Checkpoint
    RP242: 5/27/2011 9:15:07 PM - System Checkpoint
    RP243: 5/30/2011 12:05:28 PM - System Checkpoint
    RP244: 5/31/2011 1:03:22 PM - System Checkpoint
    RP245: 6/1/2011 2:37:24 PM - System Checkpoint
    RP246: 6/2/2011 4:48:56 PM - System Checkpoint
    RP247: 6/3/2011 5:24:56 PM - System Checkpoint
    RP248: 6/4/2011 7:48:56 PM - System Checkpoint
    RP249: 6/5/2011 8:24:56 PM - System Checkpoint
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 64.34.212.90 www.google.com
    Hosts: 64.34.212.90 www.google.com.au
    Hosts: 64.34.212.90 www.google.be
    Hosts: 64.34.212.90 www.google.com.br
    Hosts: 64.34.212.90 www.google.ca
    Hosts: 64.34.212.90 www.google.ch
    Hosts: 64.34.212.90 www.google.de
    Hosts: 64.34.212.90 www.google.dk
    Hosts: 64.34.212.90 www.google.fr
    Hosts: 64.34.212.90 www.google.ie
    Hosts: 64.34.212.90 www.google.it
    Hosts: 64.34.212.90 www.google.co.jp
    Hosts: 64.34.212.90 www.google.nl
    Hosts: 64.34.212.90 www.google.no
    Hosts: 64.34.212.90 www.google.co.nz
    Hosts: 64.34.212.90 www.google.pl
    Hosts: 64.34.212.90 www.google.se
    Hosts: 64.34.212.90 www.google.co.uk
    Hosts: 64.34.212.90 www.google.co.za
    Hosts: 64.34.212.90 www.bing.com
    Hosts: 64.34.212.90 search.yahoo.com
    Hosts: 64.34.212.90 uk.search.yahoo.com
    Hosts: 64.34.212.90 ca.search.yahoo.com
    Hosts: 64.34.212.90 de.search.yahoo.com
    Hosts: 64.34.212.90 fr.search.yahoo.com
    Hosts: 64.34.212.90 au.search.yahoo.com
    Hosts: 64.34.212.90 www.google-analytics.com
    .
    ==== Installed Programs ======================
    .
    a-squared Free 4.5
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    avast! Free Antivirus
    Belkin Daily DJ
    Belkin Music Labeler
    Belkin Setup and Router Monitor
    Belkin USB Print and Storage Center
    CCleaner
    CDDRV_Installer
    CleanUp!
    Conexant D850 56K V.9x DFVc Modem
    Encore 802.11n Wireless Adapter ENUWI-N3
    Fotosizer 1.31
    Free Studio version 5.0.6
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 23
    KhalSetup
    KONICA MINOLTA magicolor 2430DL
    LiveUpdate 3.1 (Symantec Corporation)
    Logitech Desktop Messenger
    Logitech SetPoint
    Logitech Vid HD
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office 2000 SR-1 Premium
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.17)
    Music Mover
    Nero OEM
    PowerDVD
    QuickBooks Pro Edition 2004
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Messenger
    Yahoo! Software Update
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/6/2011 7:29:52 AM, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: Insufficient system resources exist to complete the requested service. .
    6/1/2011 6:52:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0024E8128A7D. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    6/1/2011 6:52:24 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0024E8128A7D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    6/1/2011 6:28:12 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0024E8128A7D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    5/30/2011 7:29:04 PM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
    .
    ==== End Of File ===========================
  3. SCmember

    SCmember TS Rookie Topic Starter

    malware log

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6701

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/6/2011 11:21:33 AM
    mbam-log-2011-06-06 (11-21-33).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 195053
    Time elapsed: 16 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! You do have a rootkit and the host files have been highjacked.

    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ==========================================
    Please print the following before you start:
    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    ========================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please follow the order of these scans.
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  5. SCmember

    SCmember TS Rookie Topic Starter

    Thanks Bobbye, starting the scans now. Will paste logs when completed.
  6. SCmember

    SCmember TS Rookie Topic Starter

    MBR Check Log

    Am posting this log and will then proceed with DNS flush. Be back shortly.




    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000000fc

    Kernel Drivers (total 129):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0x8A68D000 \WINDOWS\system32\KDCOM.DLL
    0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0B8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AA000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0C8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EEB000 fltMgr.sys
    0xB9ED9000 sr.sys
    0xB9EC2000 KSecDD.sys
    0xB9E35000 Ntfs.sys
    0xB9E08000 NDIS.sys
    0xB9DEE000 Mup.sys
    0xBA1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB973A000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xB9726000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB96E9000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xBA380000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB96C5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB969D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9669000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
    0xB9646000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB9547000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xB94A0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA3C0000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA3C8000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA2C8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA74A000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB6E9A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9D4F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xAF63E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA4A0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xAF62D000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA378000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA390000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xAF5FD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB6C97000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB6C77000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xAF59F000 \SystemRoot\system32\DRIVERS\update.sys
    0xB9D53000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xAF564000 \SystemRoot\system32\DRIVERS\sxuptp.sys
    0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB168C000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xB82E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5DC000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x9EF3B000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0x9EF17000 \SystemRoot\system32\drivers\portcls.sys
    0xB82D2000 \SystemRoot\system32\drivers\drmk.sys
    0xBA5E8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA7B3000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5EA000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA418000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA428000 \SystemRoot\System32\drivers\vga.sys
    0xBA5F2000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA438000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA458000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB046F000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0x9EEE4000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0x9EE8B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB82B2000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xB82A2000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x9EE63000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA3D0000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x9EE41000 \SystemRoot\System32\drivers\afd.sys
    0xB8292000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x9EE16000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x9EDA6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB8282000 \SystemRoot\System32\Drivers\Fips.SYS
    0x9ED5C000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x9ECEC000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0xB3711000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xBA59C000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xB6E7A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xB6E6A000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA3F0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xBA55C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB1690000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x9E67C000 \SystemRoot\system32\DRIVERS\lvuvc.sys
    0x9E661000 \SystemRoot\system32\DRIVERS\lvpopflt.sys
    0xB6E5A000 \SystemRoot\system32\drivers\usbaudio.sys
    0x9E621000 \SystemRoot\system32\DRIVERS\lvrs.sys
    0x9E609000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA61C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA580000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA490000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA70F000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF058000 \SystemRoot\System32\igxpdv32.DLL
    0xBF2E8000 \SystemRoot\System32\igxpdx32.DLL
    0xBF691000 \SystemRoot\System32\ATMFD.DLL
    0x9E5ED000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xB6C87000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0x9E405000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x9E3C2000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0x9E245000 \SystemRoot\system32\drivers\wdmaud.sys
    0x9E312000 \SystemRoot\system32\drivers\sysaudio.sys
    0x9DCC8000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0x9D7B4000 \SystemRoot\system32\DRIVERS\srv.sys
    0x9D8CD000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB36E9000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
    0x9D51B000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA468000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x9CD8A000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 52):
    0 System Idle Process
    4 System
    684 C:\WINDOWS\system32\smss.exe
    748 csrss.exe
    772 C:\WINDOWS\system32\winlogon.exe
    820 C:\WINDOWS\system32\services.exe
    832 C:\WINDOWS\system32\lsass.exe
    1012 C:\WINDOWS\system32\svchost.exe
    1088 svchost.exe
    1188 C:\WINDOWS\system32\svchost.exe
    520 svchost.exe
    700 svchost.exe
    1048 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    1580 C:\WINDOWS\system32\spoolsv.exe
    2032 C:\WINDOWS\explorer.exe
    600 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    664 C:\WINDOWS\system32\igfxtray.exe
    744 C:\WINDOWS\system32\hkcmd.exe
    1300 C:\WINDOWS\system32\igfxpers.exe
    1408 C:\WINDOWS\RTHDCPL.EXE
    1372 C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    1404 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1464 C:\WINDOWS\system32\igfxsrvc.exe
    1556 C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    1600 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    1776 C:\WINDOWS\system32\ctfmon.exe
    1784 C:\Program Files\Logitech\Vid HD\Vid.exe
    1916 C:\Program Files\Encore\Common\RaUI.exe
    1872 C:\Program Files\Belkin\Belkin USB Print and Storage Center\Connect.exe
    1896 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    2000 C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    1748 C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    1940 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    516 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    2240 svchost.exe
    2280 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    2428 C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    2836 C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    3040 C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    3492 C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
    3620 C:\Program Files\Google\Update\GoogleUpdate.exe
    3692 C:\Program Files\Java\jre6\bin\jqs.exe
    4012 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    452 C:\Program Files\Encore\Common\RegistryWriter.exe
    2084 C:\WINDOWS\system32\svchost.exe
    2196 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    3668 C:\WINDOWS\system32\svchost.exe
    3504 C:\WINDOWS\system32\wscntfy.exe
    3932 C:\Program Files\Internet Explorer\iexplore.exe
    2788 C:\Program Files\Internet Explorer\iexplore.exe
    456 C:\Program Files\Internet Explorer\iexplore.exe
    1728 C:\Documents and Settings\owner\Local Settings\Temporary Internet Files\Content.IE5\VDV8O640\MBRCheck[1].exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: HitachiHDS721075KLA330, Rev: GK8OA97A

    Size Device Name MBR Status
    --------------------------------------------
    698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
  7. SCmember

    SCmember TS Rookie Topic Starter

    Combofix log

    ComboFix 11-06-03.02 - owner 06/06/2011 13:34:16.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2949 [GMT -4:00]
    Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\owner\Application Data\Best Malware Protection
    c:\documents and settings\owner\Application Data\Best Malware Protection\cookies.sqlite
    c:\documents and settings\owner\Application Data\PriceGong
    c:\documents and settings\owner\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\owner\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\owner\Recent\ANTIGEN.tmp
    c:\documents and settings\owner\Recent\CLSV.tmp
    c:\documents and settings\owner\Recent\eb.tmp
    c:\documents and settings\owner\Recent\PE.tmp
    c:\documents and settings\owner\Recent\runddlkey.tmp
    c:\documents and settings\owner\Recent\SM.tmp
    c:\documents and settings\owner\Recent\tjd.tmp
    c:\windows\system32\drivers\etc\lmhosts
    c:\windows\system32\pthreadVC.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ITLPERF
    -------\Legacy_NPF
    -------\Service_itlperf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-19 03:37 . 2011-05-19 03:37 -------- d-----w- c:\program files\QuickTime
    2011-05-18 11:18 . 2011-05-18 11:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-17 16:55 . 2011-05-17 16:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-05-15 01:07 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-05-15 01:07 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-05-15 01:07 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-05-15 01:07 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-05-08 16:11 . 2011-05-08 16:11 -------- d-----w- c:\program files\Common Files\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-10 12:10 . 2011-04-05 23:13 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-04-05 23:13 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-04-05 23:13 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-04-05 23:14 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-04-05 23:13 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-04-05 23:13 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-04-05 23:13 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-04-05 23:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-04-05 23:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-04-05 23:14 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
    "RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-19 421888]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Encore Wireless Utility.lnk - c:\program files\Encore\Common\RaUI.exe [2010-5-13 1662976]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2011-1-4 67128]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-1-4 688128]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-6 724992]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "19540:UDP"= 19540:UDP:SXUPTP
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/5/2011 7:13 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2011 7:14 PM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2011 7:14 PM 19544]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [5/16/2010 2:49 PM 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [5/16/2010 2:49 PM 49152]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [5/16/2010 2:49 PM 246936]
    S0 cerc6;cerc6; [x]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/13/2010 1:19 PM 1684736]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    itlsvc REG_MULTI_SZ itlperf
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc243d9c02d2dc.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
    .
    2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
    mStart Page = hxxp://www.yahoo.com
    IE: Free YouTube Download - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.2.1
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\hm48fgqk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60283
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
    FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Notify-itlntfy - itlnfw32.dll
    Notify-NavLogon - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-06 13:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HDS721075KLA330 rev.GK8OA97A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A64A53B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(776)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(836)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3088)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Encore\Common\RegistryWriter.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-06 13:50:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-06 17:49
    .
    Pre-Run: 732,786,802,688 bytes free
    Post-Run: 733,268,389,888 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - DFE132D3FB236239E825606D92E5D88B
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Questions:
    Are you using PeerBlock?
    Have you done the DNS flush and router reset?
    Did you assign this in Firefox: FF - prefs.js: network.proxy.http_port - 60283
    =====================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ====================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  9. SCmember

    SCmember TS Rookie Topic Starter

    Questions:
    Are you using PeerBlock?
    It is not something I have done, I don't even know what it is.

    Have you done the DNS flush and router reset?
    Yes

    Did you assign this in Firefox: FF - prefs.js: network.proxy.http_port - 60283
    No
    =====================================

    Will now continue with your next set of instructions and post logs when completed.
  10. SCmember

    SCmember TS Rookie Topic Starter

    Next Set of Logs

    ESET LOG

    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\43\775a696b-4b4ba952 Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\11\6fb428cb-67f1abfe Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\14\7bea5a4e-3ce9191f Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\16\4ea56e90-2d74d52a Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\28\72b7c5c-60c70e52 Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\31\1ef03c5f-416d6f4f Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\31\2f2c695f-65e98e9d Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\48\7bf72d70-6537fbb2 Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\56\63aaf5b8-63e9f8ff Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\9\7be78a09-676b5836 probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan
    C:\Documents and Settings\owner\Desktop\fsSetup131.exe Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{BE673C43-9957-4968-A842-5C6097356DC5}\RP190\A0035045.mof Win32/RogueAV.A trojan



    HIJACKTHIS LOG


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:51:21 PM, on 6/7/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Log with Word Wrap on has been deleted by Bobbye

    New log to be posted.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    For the Eset entries: Most are in the Java cache, so you will empty it:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =============================================
    There are some entries that need to be removed in HijackThis. But I would like you to redo the log- I can't read it in the context of Word Wrap:
    When you open Notepad> click on Format> Uncheck Word Wrap. Now the log will be readable. For instance:
    This log:
    The same entry with Word Wrap off:
    Please past redone HJT log in next reply.
     
  12. SCmember

    SCmember TS Rookie Topic Starter

    Hi Jack This Log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:51:21 PM, on 6/7/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Encore\Common\RegistryWriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Logitech\Vid HD\Vid.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Encore\Common\RaUI.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\owner\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2269050
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Encore Wireless Utility.lnk = C:\Program Files\Encore\Common\RaUI.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Belkin Local Backup Service - Unknown owner - C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    O23 - Service: Belkin Network USB Helper - Unknown owner - C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\Encore\Common\RegistryWriter.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 8425 bytes
  13. SCmember

    SCmember TS Rookie Topic Starter

    Java cache

    I have completed clearing the java cache.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Reset your browser proxies
    • Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    • Click on the "Network" tab, and then on the "Settings" button.
    • Please make sure that the "No Proxy" option is selected.
    =======================================
    Please run this Custom Script:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\Documents and Settings\owner\Desktop\fsSetup131.exe
    DDS::
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-
    Driver::
    cerc6
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ========================================
    Update the following. Then uninstall all outdated versions in Add/Remove Programs.
    1. Java Updates
    Note: You do not need to put a separate Java Extension on Firefox
    Please open FF> Extensions> Remove Jave v6u17 and v6u23.
    2. Adobe Reader
    ===========================================
    I noticed several Belkin entires loading- just want to make sure you're aware of them:
    Digido Platform
    It appears these are used to enable a person who travels to use the system.

    It is puzzling because you are also using Description: Encore Wireless Utility
    =======================================
    You have a process left over form Norton/Symantec:
    Click on Start> Run> type in services.msc> enter> Double click on LiveUpdate> Change the Startup type to Disabled> Stop the Service.
    Then click on Start> Run> type in cmd> enter> at the blinking C prompt type in the following
    You should get this message:
    [SC] DeleteService SUCCESS
    Type Exit to close the command prompt
    Reboot the computer.
  15. SCmember

    SCmember TS Rookie Topic Starter

    Bobbye...

    A couple of things from your last post.

    • You mentioned something about BELKIN entries loading. My wireless router is a BELKIN, but I have never installed or activated any type of traveling ability. So I can't say if the DIGIDO PLATFORM is something that should be there or not.
    • Al
    so, again - I am not familiar with ENCORE WIRELESS UTILITY, so am not sure if that is something that should be there or not either.

    Completed all the steps you asked for from last post and the new CF log is pasted below.

    I really do appreciate your help with this mess.


    ComboFix 11-06-08.04 - owner 06/09/2011 8:01.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2958 [GMT -4:00]
    Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\documents and settings\owner\Desktop\fsSetup131.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\owner\Desktop\fsSetup131.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_cerc6
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-07 18:11 . 2011-06-07 18:11 -------- d-----w- c:\program files\ESET
    2011-05-19 03:37 . 2011-05-19 03:37 -------- d-----w- c:\program files\QuickTime
    2011-05-18 11:18 . 2011-06-08 11:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-17 16:55 . 2011-05-17 16:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-05-15 01:07 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-05-15 01:07 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-05-15 01:07 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-05-15 01:07 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-10 12:10 . 2011-04-05 23:13 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-04-05 23:13 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-04-05 23:13 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-04-05 23:14 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-04-05 23:13 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-04-05 23:13 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-04-05 23:13 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-04-05 23:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-04-05 23:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-04-05 23:14 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-06-06_17.46.20 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-09 12:10 . 2011-06-09 12:10 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
    - 2011-06-06 17:45 . 2009-10-07 06:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
    + 2011-06-09 12:10 . 2009-10-07 06:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
    + 2011-06-08 11:46 . 2011-06-08 11:46 238040 c:\windows\system32\Macromed\Flash\FlashUtil10s_Plugin.exe
    + 2011-06-08 11:46 . 2011-06-08 11:46 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    - 2010-01-27 01:07 . 2011-05-18 11:18 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
    "RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-19 421888]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Encore Wireless Utility.lnk - c:\program files\Encore\Common\RaUI.exe [2010-5-13 1662976]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2011-1-4 67128]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-1-4 688128]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-6 724992]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "19540:UDP"= 19540:UDP:SXUPTP
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/5/2011 7:13 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2011 7:14 PM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2011 7:14 PM 19544]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [5/16/2010 2:49 PM 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [5/16/2010 2:49 PM 49152]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [5/16/2010 2:49 PM 246936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/13/2010 1:19 PM 1684736]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    itlsvc REG_MULTI_SZ itlperf
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc243d9c02d2dc.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
    .
    2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.yahoo.com
    IE: Free YouTube Download - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.2.1
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\hm48fgqk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60283
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
    FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-09 08:10
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HDS721075KLA330 rev.GK8OA97A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A62453B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(768)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(828)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3912)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Encore\Common\RegistryWriter.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-09 08:14:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-09 12:14
    ComboFix2.txt 2011-06-06 17:50
    .
    Pre-Run: 733,349,683,200 bytes free
    Post-Run: 733,401,980,928 bytes free
    .
    - - End Of File - - CDB97FAA97110AE49600B732D6E6C33B
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Regarding the Belkin and the Encore entries. I don't know how your system is set up or who set it up. As far as I could determine, the extra Belkin entries have to be intentionally installed. There is a setup file fore the Belkin but all of the other processes are extra. And the The DigiDo™ Platform is used by Time Warner Cable, Cox, Bresnan, Charter, ubee and Belkin. It is a part of a secure home network and may be used by the ISP.

    And the Encore Wireless Utility may be the wireless card or required by the modem.
    =====================================
    Questions:
    1. Who is your ISP?
    2. Do you have multiple users on this computer.
    3. Are you using a wireless print server?
    4. Was the computer set up on the Peer 1 Network?
    ===================================
    Combofix removed an entry for Best Malware Protection\cookies.sqlite
    cookies.sqlite is where Firefox stores Cookies. This means that your system wasn't protected and this rogue program has left a Tracking Cookies on the system.

    Best Malware Protection is a fake antivirus program that tries to trick the user to buy the full version of the program by using fake scan results. It installs itself into the computer without confirmation of the user unless the user set the UAC level to the highest level.

    Best Malware Protection is advertised mostly through the use of bogus online scanners and malicious websites. This means that the security is lacking.

    Please do the following:>>>> Note: If you have multiple accounts on the system, do this on each of the accounts:

    1. Reset Cookies
    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-ons for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources: They also prevent the ads and banners themselves:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    ==========================================
    Regarding Price Gong:> It's a browser addon for comparative shopping. The program is adware, and it will display annoying pop-up alerts and other false threats in the browser.
    Standalone application removal
    In case you have installed PriceGong as a standalone application, it can easily be removed using the "Add/Remove Programs" follows:

    1. On Windows XP>
      1. Go to the Start menu
      2. Select Settings
      3. Select Control Panel
      4. Select Add or Remove Programs
      5. Select PriceGong
      6. Click Change/Remove
      7. Follow on-screen prompts to remove the PriceGong application

      • The use Windows Explorer (Windows key + E) to go to My Computer> Double click on Local Drive(C)> Programs> look for the Price Gong folder and do a Right click> Delete.
        =======================================
        Reboot the computer. Run the following.
        =======================================
        [​IMG]
        SuperAntiSpyware Home Edition Free Version
        Important to note the line to check the entries for removal.
        • Please download SuperAntiSpyware from HERE
        • Launch SuperAntiSpyware and click on 'Check for updates'.
        • Wait for the updates to be installed
        • On the main screen click on 'Scan your computer'.
        • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
        • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
        • Make sure everything found has a checkmark next to it,then press 'Next'.
        • Click on 'Finish' when you've done.
        It's possible that the program will ask you to reboot in order to delete some files.

        Obtain the SuperAntiSpyware log as follows:
        • Click on 'Preferences'.
        • Click on the 'Statistics/Logs' tab.
        • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
        It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
  17. SCmember

    SCmember TS Rookie Topic Starter

    Super AntiSpyware Log

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/13/2011 at 08:14 AM

    Application Version : 4.54.1000

    Core Rules Database Version : 7257
    Trace Rules Database Version: 5069

    Scan type : Complete Scan
    Total Scan Time : 00:20:45

    Memory items scanned : 588
    Memory threats detected : 0
    Registry items scanned : 6379
    Registry threats detected : 0
    File items scanned : 20709
    File threats detected : 470

    Adware.Tracking Cookie
    C:\Documents and Settings\owner\Cookies\owner@content.yieldmanager[1].txt
    C:\Documents and Settings\owner\Cookies\owner@imrworldwide[2].txt
    C:\Documents and Settings\owner\Cookies\owner@mediabrandsww[1].txt
    C:\Documents and Settings\owner\Cookies\owner@adxpose[1].txt
    C:\Documents and Settings\owner\Cookies\owner@media6degrees[1].txt
    C:\Documents and Settings\owner\Cookies\owner@realmedia[1].txt
    C:\Documents and Settings\owner\Cookies\owner@statcounter[1].txt
    C:\Documents and Settings\owner\Cookies\owner@2o7[2].txt
    C:\Documents and Settings\owner\Cookies\owner@zedo[1].txt
    C:\Documents and Settings\owner\Cookies\owner@apmebf[1].txt
    C:\Documents and Settings\owner\Cookies\owner@dc.tremormedia[1].txt
    C:\Documents and Settings\owner\Cookies\owner@revsci[1].txt
    C:\Documents and Settings\owner\Cookies\owner@eset.122.2o7[1].txt
    C:\Documents and Settings\owner\Cookies\owner@atdmt[1].txt
    C:\Documents and Settings\owner\Cookies\owner@collective-media[2].txt
    C:\Documents and Settings\owner\Cookies\owner@pointroll[1].txt
    C:\Documents and Settings\owner\Cookies\owner@content.yieldmanager[3].txt
    C:\Documents and Settings\owner\Cookies\owner@insightexpressai[2].txt
    C:\Documents and Settings\owner\Cookies\owner@trafficmp[1].txt
    C:\Documents and Settings\owner\Cookies\owner@ads.pointroll[2].txt
    C:\Documents and Settings\owner\Cookies\owner@mediaplex[2].txt
    C:\Documents and Settings\owner\Cookies\owner@www.burstnet[1].txt
    C:\Documents and Settings\owner\Cookies\owner@casalemedia[1].txt
    C:\Documents and Settings\owner\Cookies\owner@ads.bleepingcomputer[1].txt
    C:\Documents and Settings\owner\Cookies\owner@citi.bridgetrack[2].txt
    C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt
    C:\Documents and Settings\owner\Cookies\owner@ad.yieldmanager[2].txt
    C:\Documents and Settings\owner\Cookies\owner@serving-sys[1].txt
    C:\Documents and Settings\owner\Cookies\owner@invitemedia[2].txt
    crackle.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
    media.heavy.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
    media1.break.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
    s0.2mdn.net [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
    secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
    C:\Documents and Settings\LocalService\Cookies\system@kontera[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@dc.tremormedia[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@clicksaudit[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@ads.lycos[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@ads.pointroll[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@ads.pointroll[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@xml.trafficengine[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@dc.tremormedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@optimize.indieclick[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@view.atdmt[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@lucidmedia[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@indieclick[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@statcounter[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@2o7[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@ru4[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@p409t1s4937430.kronos.bravenetmedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.clicksclick[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@adtech[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@interclick[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@advertnation[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@stat.dealtime[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@apmebf[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@advertise[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@ru4[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@burstbeacon[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@technoratimedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@adbrite[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@viewablemedia[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@invitemedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@invitemedia[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@crackle[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@burstnet[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@adxpose[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@ads.blogtalkradio[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@eyewonder[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@media6degrees[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@media6degrees[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@mediaplex[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@mediaplex[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@adserver.adtechus[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@www.mediaquantics[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@insightexpressai[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.clickwhale[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.clickcheer[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@amtk-media[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@ads.pubmatic[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@r1-ads.ace.advertising[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@in.getclicky[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@legolas-media[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@realmedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.clicksthis[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.findsmy[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@mm.chitika[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@www.burstbeacon[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@adserv.rotator.hadj7.adjuggler[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@fastclick[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@zedo[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@ads.undertone[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@xm.xtendmedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.clickbowl[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@pro-market[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@findology[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@track.clickpayz[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@www.burstnet[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@dealtime[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@serving-sys[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@www.crackle[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@cdn1.trafficmp[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@trafficmp[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@questionmarket[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@revsci[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@network.realmedia[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@ad.wsod[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@eas.apm.emediate[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@specificclick[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@clicksaudit[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@advertising[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@advertising[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@search.hippofind[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@qa.adserver.adbull[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@imrworldwide[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@pointroll[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@link.mercent[1].txt
    C:\Documents and Settings\LocalService\Cookies\system@mediabrandsww[2].txt
    C:\Documents and Settings\LocalService\Cookies\system@qa.adserver.adbull[3].txt
    C:\Documents and Settings\LocalService\Cookies\system@collective-media[1].txt
    adimages.scrippsnetworks.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    convoad.technoratimedia.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    media.kyte.tv [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    media.onsugar.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    stat.easydate.biz [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media.adfrontiers[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media.adfrontiers[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media.adfrontiers[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adlegend[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@educationcom.112.2o7[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@interclick[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertnation[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[11].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertnation[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@2o7[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@apmebf[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.toseeking[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@technoratimedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atwola[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.doubleclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ru4[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@chitika[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@enhance[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@clicks.fastseekonline[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adxpose[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adxpose[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[10].txt
    C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[11].txt
    C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[10].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[11].txt
    C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.clickwhale[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@amtk-media[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[10].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.321findit[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.clicksthis[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@search.321findit[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserv.rotator.hadj7.adjuggler[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@fastclick[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@fastclick[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@realmedia[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adserv.rotator.hadj7.adjuggler[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@zedo[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@zedo[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@lfstmedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@fastclick[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@fastclick[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@twctsg.122.2o7[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@clicks.search312[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.googleadservices[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@revsci[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@revsci[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@revsci[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@nextag[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@server.cpmstar[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[10].txt
    C:\Documents and Settings\NetworkService\Cookies\system@statse.webtrendslive[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[11].txt
    C:\Documents and Settings\NetworkService\Cookies\system@gmglobalgm.112.2o7[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[10].txt
    C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@pointroll[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@atdmt[11].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[8].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[9].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[6].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[7].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[4].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[5].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[3].txt
    C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[1].txt
    a.ads2.msads.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    ads2.msads.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    b.ads2.msads.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    cdn1.static.pornhub.phncdn.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    cdn4.specificclick.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    crackle.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    ia.media-imdb.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    media.mtvnservices.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    media.scanscout.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    media.wcnc.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    media.wfaa.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    media1.break.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    s0.2mdn.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    secure-us.imrworldwide.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    www.naiadsystems.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    www.pornhub.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    www.royalmediamarketing.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
    www.soundclick.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]

    Adware.SelectRebates[SAH]
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BE673C43-9957-4968-A842-5C6097356DC5}\RP191\A0035209.DLL
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    SAS found 470 Tracking Cookies. That tell me 3 things.

    1. Your system is not set to block 3rd party Cookies.
    2. You aren't doing regular maintenance on the system.
    3. If you are going to visit sites like the 'pronhub', you are going to get malware.

    These have not been addressed:
    ====================================
    Please run the following: Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ====================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Due to inactivity, this thread is being closed.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.