Solved Suspected infections on my computer

Status
Not open for further replies.
B

becky329

Posts: 67   +0
I noticed my computer running slowly lately and I have had a redirect on my Firefox. I have attached my logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4494

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/4/2010 2:12:43 PM
mbam-log-2010-09-04 (14-12-43).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 289029
Time elapsed: 3 hour(s), 17 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CA84156C-45F8-472E-9CEC-088CF2273354}\RP393\A0039945.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
 
GMER log;

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-04 18:51:56
Windows 5.1.2600 Service Pack 2
Running: kolnxki3.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlyrpod.sys


---- System - GMER 1.0.15 ----

SSDT F8B1641E ZwCreateKey
SSDT F8B16414 ZwCreateThread
SSDT F8B16423 ZwDeleteKey
SSDT F8B1642D ZwDeleteValueKey
SSDT F8B16432 ZwLoadKey
SSDT F8B16400 ZwOpenProcess
SSDT F8B16405 ZwOpenThread
SSDT F8B1643C ZwReplaceKey
SSDT F8B16437 ZwRestoreKey
SSDT F8B16428 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEFDC60B0]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF80DFF80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008F000C
.text C:\WINDOWS\System32\svchost.exe[980] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[1372] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[1372] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00BB000A
.text C:\WINDOWS\Explorer.EXE[1372] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B9000C
.text C:\WINDOWS\system32\wuauclt.exe[2580] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0119000A
.text C:\WINDOWS\system32\wuauclt.exe[2580] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 011A000A
.text C:\WINDOWS\system32\wuauclt.exe[2580] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0118000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat EED1CC8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
 
DDS Log # 1

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:06:00.62 on Sat 09/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.146 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Wsisuy] rundll32.exe "c:\windows\dsdmsndp.dll",Startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\oeyzpp30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-12 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-12 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-12 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-12 60936]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-12 88176]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2010-08-28 12:47:33 0 d--h--w- c:\windows\PIF

==================== Find3M ====================


============= FINISH: 19:07:15.06 ===============
 
DDS log # 2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/11/2009 10:06:41 PM
System Uptime: 9/4/2010 5:47:12 PM (2 hours ago)

Motherboard: Dell Computer Corp. | | 0WF887
Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 53 GiB total, 16.78 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 19.012 GiB free.
E: is FIXED (NTFS) - 18 GiB total, 18.436 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1C660DD6&0&08F0
Service:

==== System Restore Points ===================

RP333: 6/7/2010 1:32:28 AM - System Checkpoint
RP334: 6/8/2010 2:32:24 AM - System Checkpoint
RP335: 6/9/2010 5:47:16 AM - System Checkpoint
RP336: 6/10/2010 6:21:07 AM - System Checkpoint
RP337: 6/11/2010 3:48:28 PM - System Checkpoint
RP338: 6/12/2010 5:37:08 PM - System Checkpoint
RP339: 6/13/2010 6:32:48 PM - System Checkpoint
RP340: 6/14/2010 7:49:19 PM - System Checkpoint
RP341: 6/15/2010 8:05:04 PM - System Checkpoint
RP342: 6/16/2010 9:05:01 PM - System Checkpoint
RP343: 6/17/2010 10:29:50 PM - System Checkpoint
RP344: 6/19/2010 9:10:27 AM - System Checkpoint
RP345: 6/20/2010 9:32:03 AM - System Checkpoint
RP346: 6/21/2010 5:54:00 PM - System Checkpoint
RP347: 6/22/2010 6:48:00 PM - System Checkpoint
RP348: 6/23/2010 7:36:19 PM - System Checkpoint
RP349: 6/24/2010 10:07:22 PM - System Checkpoint
RP350: 6/25/2010 10:51:08 PM - System Checkpoint
RP351: 6/27/2010 12:03:09 AM - System Checkpoint
RP352: 6/28/2010 12:51:10 AM - System Checkpoint
RP353: 6/29/2010 1:51:10 AM - System Checkpoint
RP354: 6/30/2010 2:27:41 AM - System Checkpoint
RP355: 7/1/2010 6:07:43 AM - System Checkpoint
RP356: 7/2/2010 10:49:32 PM - System Checkpoint
RP357: 7/3/2010 11:43:52 PM - System Checkpoint
RP358: 7/10/2010 9:33:55 PM - System Checkpoint
RP359: 7/11/2010 9:56:05 PM - System Checkpoint
RP360: 7/12/2010 10:30:21 PM - System Checkpoint
RP361: 7/14/2010 5:36:45 AM - System Checkpoint
RP362: 7/15/2010 6:55:31 PM - System Checkpoint
RP363: 7/16/2010 8:36:59 PM - System Checkpoint
RP364: 7/18/2010 8:54:29 AM - System Checkpoint
RP365: 7/19/2010 9:13:46 AM - System Checkpoint
RP366: 7/20/2010 10:13:48 AM - System Checkpoint
RP367: 7/21/2010 7:12:07 PM - System Checkpoint
RP368: 7/22/2010 9:04:58 PM - System Checkpoint
RP369: 7/23/2010 9:43:16 PM - System Checkpoint
RP370: 7/24/2010 10:05:38 PM - System Checkpoint
RP371: 7/25/2010 10:51:04 PM - System Checkpoint
RP372: 7/26/2010 11:20:41 PM - System Checkpoint
RP373: 7/28/2010 4:44:16 AM - System Checkpoint
RP374: 7/29/2010 5:46:39 AM - System Checkpoint
RP375: 7/30/2010 5:49:54 AM - System Checkpoint
RP376: 7/31/2010 5:54:23 AM - System Checkpoint
RP377: 8/7/2010 7:44:06 PM - System Checkpoint
RP378: 8/9/2010 7:57:13 AM - System Checkpoint
RP379: 8/10/2010 7:42:26 PM - System Checkpoint
RP380: 8/12/2010 9:05:13 PM - System Checkpoint
RP381: 8/13/2010 9:07:29 PM - System Checkpoint
RP382: 8/14/2010 11:09:03 PM - System Checkpoint
RP383: 8/15/2010 11:39:31 PM - System Checkpoint
RP384: 8/17/2010 12:39:29 AM - System Checkpoint
RP385: 8/18/2010 1:36:08 AM - System Checkpoint
RP386: 8/19/2010 5:32:04 AM - System Checkpoint
RP387: 8/20/2010 6:28:57 AM - System Checkpoint
RP388: 8/21/2010 11:04:25 PM - System Checkpoint
RP389: 8/22/2010 11:31:14 PM - System Checkpoint
RP390: 8/24/2010 6:15:16 AM - System Checkpoint
RP391: 8/25/2010 7:01:07 AM - System Checkpoint
RP392: 8/26/2010 8:50:00 PM - System Checkpoint
RP393: 8/27/2010 9:15:50 PM - System Checkpoint
RP394: 8/29/2010 6:22:57 AM - System Checkpoint
RP395: 9/4/2010 8:49:16 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Parental Control
Avira AntiVir Personal - Free Antivirus
Bonjour
Dell Resource CD
ERUNT 1.1j
Free Studio version 4.2
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB908673)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 16
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Modem Helper
Mozilla Firefox (3.6.8)
MSN
QuickTime
Security Update for Windows XP (KB912812)
SigmaTel Audio
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware Free Edition
Uninstall 1.0.0.1
Update for Windows XP (KB922120)
Walmart MP3 Music Downloads
WebFldrs XP
Windows Internet Explorer 8
Windows XP Hotfix - KB839210

==== Event Viewer Messages From Past Week ========

9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2010 7:59:36 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/3/2010 7:20:53 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
8/30/2010 5:42:34 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
8/30/2010 5:42:34 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
8/29/2010 7:03:58 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer EMACHINES that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E54ADA1E-2228-4A2F. The master browser is stopping or an election is being forced.
8/28/2010 9:02:02 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/28/2010 8:59:11 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SASDIFSV SASKUTIL ssmdrv
8/28/2010 8:08:49 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2010 8:08:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/28/2010 6:07:55 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
8/28/2010 10:19:19 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
8/28/2010 10:18:35 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
8/28/2010 10:17:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================
 
I do not use my computer for much more than surfing recipe sites, iPhone maintenance, reading blogs, ordering clothing online and connecting to my childs school site.

** I have also ran a TDSS killer and can attach the log if needed.

Thank you for any help you can give.
 
Welcome to TechSpot. I'll help with any malware. While I finish checking you logs, please run the following:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Make sure you re-enable your security programs, when you're done with Combofix.
===================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
====================================
You can give me the TDSS Killer log since you have already run it. But if you have it running in the background. please either disable or uninstall it.

Important
Do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Becky, the system is infected with the Backdoor.Win32.Rbot.aag Worm. It is a network worm and IRC backdoor Trojan. W32/Rbot-AMG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Looks like it got on the system about 8/28.

Because of it's 'backdoor' capabilities, you should change all of your passwords and monitor any online financial transactions. It you have a network set up, it's advisable that you not connect as the infection could be passed on to other computers on the network.

A 'Backdoor' is a program that provides attackers with remote access to infected computers. If your surfing involves any P2P or File Sharing programs, you should stop using these programs immediately.

While we should be able to remove the current infection, caution is advised because it is not known what files may have been compromised.
 
I am attaching the TDSS killer log. I hate to admit it but I have gotten to the limit of my computer knowledge/ability. My husband says he will help me close and disable my programs this afternoon. (He is painting his Jeep mirrors this morning). Thank you for your assistance.


2010/09/04 19:29:11.0312 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06
2010/09/04 19:29:11.0312 ================================================================================
2010/09/04 19:29:11.0312 SystemInfo:
2010/09/04 19:29:11.0312
2010/09/04 19:29:11.0312 OS Version: 5.1.2600 ServicePack: 2.0
2010/09/04 19:29:11.0312 Product type: Workstation
2010/09/04 19:29:11.0312 ComputerName: DELLDE051
2010/09/04 19:29:11.0312 UserName: Owner
2010/09/04 19:29:11.0312 Windows directory: C:\WINDOWS
2010/09/04 19:29:11.0312 System windows directory: C:\WINDOWS
2010/09/04 19:29:11.0312 Processor architecture: Intel x86
2010/09/04 19:29:11.0312 Number of processors: 1
2010/09/04 19:29:11.0312 Page size: 0x1000
2010/09/04 19:29:11.0312 Boot type: Normal boot
2010/09/04 19:29:11.0312 ================================================================================
2010/09/04 19:29:14.0968 Initialize success
2010/09/04 19:29:18.0796 ================================================================================
2010/09/04 19:29:18.0796 Scan started
2010/09/04 19:29:18.0796 Mode: Manual;
2010/09/04 19:29:18.0796 ================================================================================
2010/09/04 19:29:20.0187 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/04 19:29:20.0281 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/04 19:29:20.0437 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/09/04 19:29:20.0562 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/09/04 19:29:20.0906 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/04 19:29:21.0031 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/04 19:29:21.0140 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/04 19:29:21.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/04 19:29:21.0437 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/09/04 19:29:21.0515 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/09/04 19:29:21.0562 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/09/04 19:29:21.0687 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/04 19:29:21.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/04 19:29:21.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/04 19:29:22.0093 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/04 19:29:22.0218 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/04 19:29:22.0328 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/09/04 19:29:22.0578 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/04 19:29:22.0703 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/04 19:29:22.0859 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/04 19:29:22.0984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/04 19:29:23.0093 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/04 19:29:23.0250 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/04 19:29:23.0375 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/09/04 19:29:23.0515 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/04 19:29:23.0656 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/09/04 19:29:23.0781 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/04 19:29:23.0875 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/09/04 19:29:24.0015 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/09/04 19:29:24.0156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/04 19:29:24.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/04 19:29:24.0421 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/09/04 19:29:24.0562 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/04 19:29:24.0687 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/04 19:29:24.0890 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/04 19:29:25.0171 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/09/04 19:29:25.0343 ialm (0294a30b302ca71a2c26e582dda93486) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/09/04 19:29:25.0531 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/04 19:29:25.0687 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/04 19:29:25.0812 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/04 19:29:25.0906 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/09/04 19:29:26.0015 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/04 19:29:26.0109 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/04 19:29:26.0187 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/04 19:29:26.0359 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/04 19:29:26.0484 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/04 19:29:26.0578 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/04 19:29:26.0703 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/04 19:29:26.0859 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/04 19:29:26.0953 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/04 19:29:27.0109 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/04 19:29:27.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/04 19:29:27.0437 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/04 19:29:27.0546 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/04 19:29:27.0671 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/04 19:29:27.0750 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/04 19:29:27.0937 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/04 19:29:28.0078 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/04 19:29:28.0312 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/04 19:29:28.0437 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/04 19:29:28.0531 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/04 19:29:28.0625 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/04 19:29:28.0718 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/04 19:29:28.0828 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/04 19:29:28.0953 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/04 19:29:29.0078 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/04 19:29:29.0187 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/04 19:29:29.0328 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/04 19:29:29.0453 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/04 19:29:29.0578 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/04 19:29:29.0687 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/04 19:29:29.0796 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/04 19:29:29.0953 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/04 19:29:30.0140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/04 19:29:30.0234 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/04 19:29:30.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/04 19:29:30.0484 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/04 19:29:30.0593 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/04 19:29:30.0687 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/04 19:29:30.0781 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/04 19:29:30.0968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/09/04 19:29:31.0062 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/04 19:29:31.0390 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/04 19:29:31.0500 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/04 19:29:31.0593 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/04 19:29:31.0859 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/04 19:29:31.0937 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/04 19:29:32.0046 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/04 19:29:32.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/04 19:29:32.0281 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/04 19:29:32.0406 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/04 19:29:32.0531 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/04 19:29:32.0703 redbook (0190248bbe3985a47cf3c03180d8c16b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/04 19:29:32.0718 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 0190248bbe3985a47cf3c03180d8c16b, Fake md5: b31b4588e4086d8d84adbf9845c2402b
2010/09/04 19:29:32.0718 redbook - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/04 19:29:32.0812 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2010/09/04 19:29:32.0953 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/04 19:29:33.0015 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/09/04 19:29:33.0078 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/09/04 19:29:33.0234 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/04 19:29:33.0390 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/09/04 19:29:33.0640 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/04 19:29:33.0703 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/04 19:29:33.0812 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/04 19:29:33.0953 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS\system32\drivers\smwdm.sys
2010/09/04 19:29:34.0156 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/04 19:29:34.0265 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/04 19:29:34.0359 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/04 19:29:34.0546 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/09/04 19:29:34.0640 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/04 19:29:34.0750 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/04 19:29:34.0953 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/04 19:29:35.0093 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/04 19:29:35.0281 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/04 19:29:35.0343 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/04 19:29:35.0468 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/04 19:29:35.0625 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/04 19:29:35.0828 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/04 19:29:36.0015 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/04 19:29:36.0125 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/04 19:29:36.0265 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/04 19:29:36.0375 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/04 19:29:36.0531 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/04 19:29:36.0640 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/04 19:29:36.0750 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/09/04 19:29:36.0890 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/04 19:29:37.0031 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/04 19:29:37.0171 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/04 19:29:37.0343 ================================================================================
2010/09/04 19:29:37.0343 Scan finished
2010/09/04 19:29:37.0343 ================================================================================
2010/09/04 19:29:37.0375 Detected object count: 1
2010/09/04 19:30:38.0312 redbook (0190248bbe3985a47cf3c03180d8c16b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/04 19:30:38.0312 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 0190248bbe3985a47cf3c03180d8c16b, Fake md5: b31b4588e4086d8d84adbf9845c2402b
2010/09/04 19:30:39.0046 Backup copy found, using it..
2010/09/04 19:30:39.0062 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured after reboot
2010/09/04 19:30:39.0062 Rootkit.Win32.TDSS.tdl3(redbook) - User select action: Cure
2010/09/04 19:30:48.0234 Deinitialize success
 
Just keep in mind- if you would like me to continue helping you, please advise him I have requested this:
Important
Do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
Click to expand...

You should be able to run Combofix and the Eset scan easily with my directions. The only programs you need to disable for them are the security programs. All I see is AVIRA ANTIVIR
  • Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background
    antivir.png
    • Right click on the Avira icon> Click to Uncheck the option AntiVir Guard enable.
    • You should now see a closed, white umbrella on a red background
      antivir_disabled.png
You succesfully disabled the AntiVir Guard.
 
Here's the combo fix log, running Eset next.

ComboFix 10-09-06.03 - Owner 09/06/2010 17:04:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.222 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\1028_DELL_XPS_Dell DE051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DE051 .MRK

.
((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-06 10:33 . 2010-09-06 10:33 -------- d-----w- c:\windows\LastGood
2010-08-28 13:04 . 2010-08-28 13:04 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-28 13:01 . 2010-08-28 13:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-28 13:00 . 2010-08-28 13:00 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-28 12:47 . 2010-08-28 12:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 23:31 . 2009-07-11 21:55 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-28 22:07 . 2009-07-13 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 13:02 . 2009-07-12 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 11:35 . 2009-07-12 13:53 -------- d-----w- c:\program files\McAfee
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-10 22:45 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 10:17 AM 135336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 9:54 AM 88176]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmd25
*Deregistered* - klmdb
*Deregistered* - pwlyrpod
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{187F1E56-F43A-4693-880F-D322638AB6C3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oeyzpp30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Wsisuy - c:\windows\dsdmsndp.dll
SafeBoot-klmdb.sys
AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 17:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-09-06 17:10:52
ComboFix-quarantined-files.txt 2010-09-06 21:10

Pre-Run: 17,839,386,624 bytes free
Post-Run: 17,837,453,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 03F294DD4B4707BDFF372FB2B9C538B5
 
Here is my ESET log.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c151dfeac91d5d4fae6cc7009719ee70
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-06 10:25:24
# local_time=2010-09-06 06:25:24 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1797 16775141 100 100 0 57761250 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=164586
# found=4
# cleaned=0
# scan_time=4042
D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I
D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash multiple threats 00000000000000000000000000000000 I
D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats 00000000000000000000000000000000 I
D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx HTML/Phishing.gen trojan 00000000000000000000000000000000 I
 
Becky, I'd like you to handle the entries in the Eset log first:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	
:Services
:Reg

:Files 
D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox 
D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash 
D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx 
D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

HTML.Phishing.gen trojan: See this http://en.wikipedia.org/wiki/Phishing

It appears that you have email accounts with both Thunderbird and Outlook Express. Most likely, these entries are for attachments you opened in the email. I don't know if removing just these entries will handle the problem, so after have run OTMoveIT, I'd like you to reboot, then run another Eset scan.

If necessary, I will instruct you in removing the OE Deleted Items.dbx and OE Inbox.dbx Store boxes. I will handle Combofix separately. In the meantime, please do not open or save any new attachments in either Thunderbird or OE.
 
OTM log attached.

The Thunderbird account belongs to my husbands D drive that had to be installed in my computer when his motherboard died.....He has another computer now and we only keep the drive because it has history on it. If needed we can delete Thunderbird and OE off the D drive on this computer.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox moved successfully.
D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash moved successfully.
D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx moved successfully.
D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 655494 bytes
->Flash cache emptied: 1823 bytes

User: Owner
->Temp folder emptied: 307280 bytes
->Temporary Internet Files folder emptied: 1091220 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46133832 bytes
->Flash cache emptied: 3868 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 46.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 09072010_182441

Files moved on Reboot...

Registry entries deleted on Reboot...
 
Eset scan number 2

C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox HTML/Phishing.gen trojan
C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash multiple threats
C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats
C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx HTML/Phishing.gen trojan
 
Okay good. Looks like you were able to remove the individual emails. Are you still noticing any redirects?

Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
Folder::
c:\windows\PIF
c:\documents and settings\Administrator\IETldCache
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=============================
You have 2 outdated versions of Java on the system. Please use Add/Remove Programs in the Control Panel to uninstall all but the current v6u21 of Java.
 
Thank you for all of your time and help. My internet has stopped redirecting. I knew something was wrong, but I could never have fixed it on my own!!!

combo fix log attached

ComboFix 10-09-08.01 - Owner 09/08/2010 19:36:16.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.277 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\IETldCache
c:\documents and settings\Administrator\IETldCache\index.dat

.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-07 22:24 . 2010-09-07 22:24 -------- d-----w- C:\_OTM
2010-09-06 21:14 . 2010-09-06 21:14 -------- d-----w- c:\program files\ESET
2010-08-28 13:04 . 2010-08-28 13:04 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-28 13:01 . 2010-08-28 13:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-28 12:47 . 2010-08-28 12:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 23:31 . 2009-07-11 21:55 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-28 22:07 . 2009-07-13 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 13:02 . 2009-07-12 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 11:35 . 2009-07-12 13:53 -------- d-----w- c:\program files\McAfee
.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_21.08.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-07 22:27 . 2010-09-07 22:27 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2010-09-07 22:29 . 2010-09-07 22:29 176128 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000002\UsrClass.dat
+ 2010-09-07 22:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-7-2010\ERDNT.EXE
+ 2010-09-06 22:44 . 2010-09-06 22:44 176128 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000002\UsrClass.dat
+ 2010-09-06 22:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-6-2010\ERDNT.EXE
+ 2010-09-07 22:29 . 2010-09-07 22:29 2035712 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000001\NTUSER.DAT
+ 2010-09-06 22:44 . 2010-09-06 22:44 2031616 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-10 22:45 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 10:17 AM 135336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 9:54 AM 88176]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{187F1E56-F43A-4693-880F-D322638AB6C3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oeyzpp30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 19:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-09-08 19:43:05
ComboFix-quarantined-files.txt 2010-09-08 23:42
ComboFix2.txt 2010-09-06 21:10

Pre-Run: 17,357,836,288 bytes free
Post-Run: 17,351,729,152 bytes free

- - End Of File - - 273244992A587FCEDEB8082E17C091CC
 
While I am working on my computer, could you help me disinfect/check a 1.0 gb Sandisk mini cruzer thumb drive? I am afraid to use it now my computer is cured.

Thank you
 
Flash Drive Disinfector:
Threat Removal Procedure:

  • [1]. Download Flash_Disinfector and save it to your Desktop.
    [2]. After downloading, double-click on Flash_Disinfector to run it.
    [3]. Just follow the prompts and continue until it begin scanning.
    flash-disinfector.jpg

    [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
    [5]. It will scan removable drives, wait for the scan to finish. Done.

Becky, there is one entry that didn't get removed from the script. I will need to examine the contents- so run this CFScript one more time:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
DirLook::
c:\windows\PIF
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Edit: Before I forget- you have 2 old versions of Java still on the system. Please go to Add/Remove Programs in the Control Panel and uninstall all Java except v6u21.
 
Here is the combo fix log. I removed the other Java and the computer seems to be running ok.

Thank you
Becky

ComboFix 10-09-09.03 - Owner 09/09/2010 18:43:32.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.299 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-09-07 22:24 . 2010-09-07 22:24 -------- d-----w- C:\_OTM
2010-09-06 21:14 . 2010-09-06 21:14 -------- d-----w- c:\program files\ESET
2010-08-28 13:04 . 2010-08-28 13:04 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-28 13:01 . 2010-08-28 13:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-28 12:47 . 2010-08-28 12:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 23:54 . 2009-07-12 03:30 -------- d-----w- c:\program files\Java
2010-09-04 23:31 . 2009-07-11 21:55 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-28 22:07 . 2009-07-13 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 13:02 . 2009-07-12 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 11:35 . 2009-07-12 13:53 -------- d-----w- c:\program files\McAfee
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\PIF ----



((((((((((((((((((((((((((((( SnapShot@2010-09-06_21.08.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-07 22:27 . 2010-09-07 22:27 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2010-09-07 22:29 . 2010-09-07 22:29 176128 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000002\UsrClass.dat
+ 2010-09-07 22:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-7-2010\ERDNT.EXE
+ 2010-09-06 22:44 . 2010-09-06 22:44 176128 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000002\UsrClass.dat
+ 2010-09-06 22:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-6-2010\ERDNT.EXE
+ 2010-09-07 22:29 . 2010-09-07 22:29 2035712 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000001\NTUSER.DAT
+ 2010-09-06 22:44 . 2010-09-06 22:44 2031616 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-10 22:45 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 10:17 AM 135336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 9:54 AM 88176]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - APPMGMT
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-09 c:\windows\Tasks\User_Feed_Synchronization-{187F1E56-F43A-4693-880F-D322638AB6C3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oeyzpp30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 18:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(1184)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-09-09 18:50:18
ComboFix-quarantined-files.txt 2010-09-09 22:50
ComboFix2.txt 2010-09-08 23:43
ComboFix3.txt 2010-09-06 21:10

Pre-Run: 17,329,086,464 bytes free
Post-Run: 17,322,184,704 bytes free

- - End Of File - - E3819B876B472C973168F059F7F58063
 
I downloaded flash disinfector and Avira has blocked G:Autorun.inf". Is this the program or something bad on the thumbdrive? I did not proceed until I have confirmation ........

Becky
 
I noticed you also have McAfee on the system. You have downloaded the Flash Disinfector program, right? Go Offline- File> Work Offline> Disable Avira> then run the disinfector.
 
I used the disinfector ... nothing seemed to happen? Not sure what I was expecting though.

Do I need McAfee? Should I disable?
 
I am sorry I did not respond sooner, I have been working on another computer in the house that shares a home network. I decided to clean them all up at once so we dont share our viruses.

This computer seems to be back in working order. I have not noticed anything suspicious today. Thank you.

Becky
 
I saw McAfee but it's only the site advisor so I left it:

Please run this CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
KillAll::
File::
c:\program files\mcafee\siteadvisor\McSACore.exe
Folder::
c:\program files\McAfee
c:\windows\PIF
DDS::
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Extra::
File::
c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
Firefox::
Firefox-: -  Profile - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\oeyzpp30.default\

Driver::
McAfee SiteAdvisor Service
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Can you scan the flash drive with Eset Nod32, the online scan?
 
I will try the Eset scan. Combo fix log attached:

ComboFix 10-09-13.01 - Owner 09/13/2010 19:10:45.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.268 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point

FILE ::
"c:\program files\mcafee\siteadvisor\components\McFFPlg.dll"
"c:\program files\mcafee\siteadvisor\McSACore.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\mcafee\sitead~1\mcieplg.dll
c:\program files\McAfee
c:\program files\McAfee\SiteAdvisor\ActUtil.exe
c:\program files\McAfee\SiteAdvisor\apengine.dll
c:\program files\McAfee\SiteAdvisor\chrome.manifest
c:\program files\McAfee\SiteAdvisor\cntscan.dll
c:\program files\McAfee\SiteAdvisor\Components\IMcFFPlg.xpt
c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
c:\program files\McAfee\SiteAdvisor\content.dat
c:\program files\McAfee\SiteAdvisor\contents.rdf
c:\program files\McAfee\SiteAdvisor\default.txt
c:\program files\McAfee\SiteAdvisor\Download\s1qk
c:\program files\McAfee\SiteAdvisor\Download\s1qk.1
c:\program files\McAfee\SiteAdvisor\Download\s1qk.2
c:\program files\McAfee\SiteAdvisor\Download\s1qk.3
c:\program files\McAfee\SiteAdvisor\Download\s1qk.4
c:\program files\McAfee\SiteAdvisor\Download\s1qk.5
c:\program files\McAfee\SiteAdvisor\Download\s1qk.6
c:\program files\McAfee\SiteAdvisor\Download\s1qk.7
c:\program files\McAfee\SiteAdvisor\Download\s1qk.8
c:\program files\McAfee\SiteAdvisor\Download\s1qk.9
c:\program files\McAfee\SiteAdvisor\Download\s1qk.a
c:\program files\McAfee\SiteAdvisor\Download\s1qk.b
c:\program files\McAfee\SiteAdvisor\Download\s1qk.c
c:\program files\McAfee\SiteAdvisor\Download\s1qk.d
c:\program files\McAfee\SiteAdvisor\Download\s1qk.e
c:\program files\McAfee\SiteAdvisor\Download\s1qk.f
c:\program files\McAfee\SiteAdvisor\Download\s1qk.g
c:\program files\McAfee\SiteAdvisor\Download\s1qk.h
c:\program files\McAfee\SiteAdvisor\Download\s1qk.i
c:\program files\McAfee\SiteAdvisor\Download\s1qk.j
c:\program files\McAfee\SiteAdvisor\Download\s1qk.k
c:\program files\McAfee\SiteAdvisor\Download\s1qk.l
c:\program files\McAfee\SiteAdvisor\Download\s1qk.m
c:\program files\McAfee\SiteAdvisor\Download\s1qk.n
c:\program files\McAfee\SiteAdvisor\Download\s1qk.o
c:\program files\McAfee\SiteAdvisor\Download\s1qk.p
c:\program files\McAfee\SiteAdvisor\Download\s1qk.q
c:\program files\McAfee\SiteAdvisor\Download\s1qk.r
c:\program files\McAfee\SiteAdvisor\Download\s1uc
c:\program files\McAfee\SiteAdvisor\Download\s1uc.1
c:\program files\McAfee\SiteAdvisor\Download\s1uc.2
c:\program files\McAfee\SiteAdvisor\Download\s1uc.3
c:\program files\McAfee\SiteAdvisor\Download\s1uc.4
c:\program files\McAfee\SiteAdvisor\elist.dat
c:\program files\McAfee\SiteAdvisor\ffplg.inf
c:\program files\McAfee\SiteAdvisor\ieplg.inf
c:\program files\McAfee\SiteAdvisor\install.rdf
c:\program files\McAfee\SiteAdvisor\mcbrwctl.dll
c:\program files\McAfee\SiteAdvisor\mcfrmwk.dll
c:\program files\McAfee\SiteAdvisor\McIEPlg.dll
c:\program files\McAfee\SiteAdvisor\McPlgUI.dll
c:\program files\mcafee\siteadvisor\McSACore.exe
c:\program files\McAfee\SiteAdvisor\McSACorePS.dll
c:\program files\McAfee\SiteAdvisor\msacmain.inf
c:\program files\McAfee\SiteAdvisor\sa_cache_sqlite.dll
c:\program files\McAfee\SiteAdvisor\sa_http_win32.dll
c:\program files\McAfee\SiteAdvisor\SA_indep.inf
c:\program files\McAfee\SiteAdvisor\SA_main.inf
c:\program files\McAfee\SiteAdvisor\sa_mbl.dll
c:\program files\McAfee\SiteAdvisor\sa_store_sqlite.dll
c:\program files\McAfee\SiteAdvisor\SA_win32.inf
c:\program files\McAfee\SiteAdvisor\sac.inf
c:\program files\McAfee\SiteAdvisor\sachook.inf
c:\program files\McAfee\SiteAdvisor\sacimg.inf
c:\program files\McAfee\SiteAdvisor\sacomm.inf
c:\program files\McAfee\SiteAdvisor\sacore.dll
c:\program files\McAfee\SiteAdvisor\sacore.inf
c:\program files\McAfee\SiteAdvisor\sacres.inf
c:\program files\McAfee\SiteAdvisor\safelocalization.inf
c:\program files\McAfee\SiteAdvisor\sahook.dll
c:\program files\McAfee\SiteAdvisor\saplugin.dll
c:\program files\McAfee\SiteAdvisor\sares.dll
c:\program files\McAfee\SiteAdvisor\SASet.dll
c:\program files\McAfee\SiteAdvisor\saSets.ini
c:\program files\McAfee\SiteAdvisor\SaSSHMod.dll
c:\program files\McAfee\SiteAdvisor\saupkeep.dll
c:\program files\McAfee\SiteAdvisor\Scripts\balloon.html
c:\program files\McAfee\SiteAdvisor\Scripts\balloon_logo.gif
c:\program files\McAfee\SiteAdvisor\Scripts\balloon_logo_plus.gif
c:\program files\McAfee\SiteAdvisor\Scripts\blackpixel.gif
c:\program files\McAfee\SiteAdvisor\Scripts\bullet.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_black.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_black_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_disabled.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_green.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_green_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_grey.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_grey_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_hs.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_hs_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_red.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_red_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_yellow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\button_yellow_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\common.js
c:\program files\McAfee\SiteAdvisor\Scripts\contents.rdf
c:\program files\McAfee\SiteAdvisor\Scripts\corner-solid.gif
c:\program files\McAfee\SiteAdvisor\Scripts\cornersm-hollow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\cornersm-solid.gif
c:\program files\McAfee\SiteAdvisor\Scripts\down_arrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\download_careful.gif
c:\program files\McAfee\SiteAdvisor\Scripts\download_unsafe.gif
c:\program files\McAfee\SiteAdvisor\Scripts\empty.gif
c:\program files\McAfee\SiteAdvisor\Scripts\error-icon.gif
c:\program files\McAfee\SiteAdvisor\Scripts\favicon.ico
c:\program files\McAfee\SiteAdvisor\Scripts\g.png
c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_sep.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_sep.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_facet.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_footer_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_footer_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_footer_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_header_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_header_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_header_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_icon.gif
c:\program files\McAfee\SiteAdvisor\Scripts\g_upsell_border.gif
c:\program files\McAfee\SiteAdvisor\Scripts\gl.png
c:\program files\McAfee\SiteAdvisor\Scripts\gleftarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\gllc.png
c:\program files\McAfee\SiteAdvisor\Scripts\glrc.png
c:\program files\McAfee\SiteAdvisor\Scripts\gr.png
c:\program files\McAfee\SiteAdvisor\Scripts\green.gif
c:\program files\McAfee\SiteAdvisor\Scripts\greenbubble.gif
c:\program files\McAfee\SiteAdvisor\Scripts\greendownarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\greenuparrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\grightarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\gul.png
c:\program files\McAfee\SiteAdvisor\Scripts\gulc.png
c:\program files\McAfee\SiteAdvisor\Scripts\gurc.png
c:\program files\McAfee\SiteAdvisor\Scripts\hackersafe.gif
c:\program files\McAfee\SiteAdvisor\Scripts\hs.gif
c:\program files\McAfee\SiteAdvisor\Scripts\hs_icon.gif
c:\program files\McAfee\SiteAdvisor\Scripts\inst-background.gif
c:\program files\McAfee\SiteAdvisor\Scripts\inst-top.gif
c:\program files\McAfee\SiteAdvisor\Scripts\inst-xup.gif
c:\program files\McAfee\SiteAdvisor\Scripts\large-buttonC.gif
c:\program files\McAfee\SiteAdvisor\Scripts\large-buttonL.gif
c:\program files\McAfee\SiteAdvisor\Scripts\large-buttonR.gif
c:\program files\McAfee\SiteAdvisor\Scripts\locale\cs-CZ\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\cs-CZ\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\da-DK\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\da-DK\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\de-DE\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\de-DE\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\el-GR\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\el-GR\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-AU\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-AU\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-CA\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-CA\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-GB\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-GB\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-IE\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-IE\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-US\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-US\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-AR\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-AR\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-CL\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-CL\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-ES\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-ES\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-MX\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-MX\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-PE\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-PE\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\fi-FI\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\fi-FI\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-CA\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-CA\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-FR\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-FR\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\hu-HU\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\hu-HU\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\it-IT\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\it-IT\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\ja-JP\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\ja-JP\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\ko-KR\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\ko-KR\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\nb-NO\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\nb-NO\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\nl-NL\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\nl-NL\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\no-NO\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\no-NO\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\pl-PL\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\pl-PL\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-BR\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-BR\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-PT\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-PT\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\ru-RU\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\ru-RU\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\sk-SK\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\sk-SK\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\sv-SE\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\sv-SE\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\tr-TR\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\tr-TR\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-CN\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-CN\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-TW\FF\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-TW\IE\safe.css
c:\program files\McAfee\SiteAdvisor\Scripts\main.js
c:\program files\McAfee\SiteAdvisor\Scripts\mainff.js
c:\program files\McAfee\SiteAdvisor\Scripts\mcafee_logo.gif
c:\program files\McAfee\SiteAdvisor\Scripts\mcafee_yahoo_cobranded_toolbar.gif
c:\program files\McAfee\SiteAdvisor\Scripts\mcafeesiteadvisor.gif
c:\program files\McAfee\SiteAdvisor\Scripts\mcwedge.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_arrow_down.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_arrow_up.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_black.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_black_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_disabled.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_green.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_green_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_grey.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_grey_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_hs.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_hs_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_red.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_red_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_yellow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_yellow_lock.gif
c:\program files\McAfee\SiteAdvisor\Scripts\protectedmode.gif
c:\program files\McAfee\SiteAdvisor\Scripts\protection.gif
c:\program files\McAfee\SiteAdvisor\Scripts\protmode-off.gif
c:\program files\McAfee\SiteAdvisor\Scripts\protmode-on.gif
c:\program files\McAfee\SiteAdvisor\Scripts\question-icon.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r.png
c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_sep.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_sep.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_facet.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_footer_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_footer_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_footer_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_header_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_header_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_header_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_header_r_nox.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_icon.gif
c:\program files\McAfee\SiteAdvisor\Scripts\r_upsell_border.gif
c:\program files\McAfee\SiteAdvisor\Scripts\red.gif
c:\program files\McAfee\SiteAdvisor\Scripts\redarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\redbubble.gif
c:\program files\McAfee\SiteAdvisor\Scripts\reddownarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\reduparrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\rl.png
c:\program files\McAfee\SiteAdvisor\Scripts\rleftarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\rllc.png
c:\program files\McAfee\SiteAdvisor\Scripts\rlrc.png
c:\program files\McAfee\SiteAdvisor\Scripts\rr.png
c:\program files\McAfee\SiteAdvisor\Scripts\rrightarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\rul.png
c:\program files\McAfee\SiteAdvisor\Scripts\rulc.png
c:\program files\McAfee\SiteAdvisor\Scripts\rurc.png
c:\program files\McAfee\SiteAdvisor\Scripts\sa-logo-plus.gif
c:\program files\McAfee\SiteAdvisor\Scripts\sa-logo.gif
c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-green.gif
c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-red.gif
c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-white.gif
c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-yellow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\safe.xul
c:\program files\McAfee\SiteAdvisor\Scripts\safe_ff.js
c:\program files\McAfee\SiteAdvisor\Scripts\safe_ie.js
c:\program files\McAfee\SiteAdvisor\Scripts\safesearch.dat
c:\program files\McAfee\SiteAdvisor\Scripts\safesearch.js
c:\program files\McAfee\SiteAdvisor\Scripts\saffplg.js
c:\program files\McAfee\SiteAdvisor\Scripts\SAPlus-graphic.gif
c:\program files\McAfee\SiteAdvisor\Scripts\searchglass.gif
c:\program files\McAfee\SiteAdvisor\Scripts\selected_tab.gif
c:\program files\McAfee\SiteAdvisor\Scripts\siteadvisor.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderA1.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderA2.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderA3.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderA4.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderD1.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderD2.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderD3.gif
c:\program files\McAfee\SiteAdvisor\Scripts\SliderD4.gif
c:\program files\McAfee\SiteAdvisor\Scripts\small-buttonC.gif
c:\program files\McAfee\SiteAdvisor\Scripts\small-buttonL.gif
c:\program files\McAfee\SiteAdvisor\Scripts\small-buttonR.gif
c:\program files\McAfee\SiteAdvisor\Scripts\unselected_tab.gif
c:\program files\McAfee\SiteAdvisor\Scripts\untested.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_sep.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_sep.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_footer_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_footer_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_footer_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_header_c.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_header_l.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_header_r.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_icon.gif
c:\program files\McAfee\SiteAdvisor\Scripts\w_upsell_border.gif
c:\program files\McAfee\SiteAdvisor\Scripts\whitebubble.gif
c:\program files\McAfee\SiteAdvisor\Scripts\whitedownarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\whiteuparrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\wleftarrow.gif
c:\program files\McAfee\SiteAdvisor\Scripts\wrightarrow.gif
 
Status
Not open for further replies.

Similar threads

C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni
Nicki
Solved Must have picked up something... some COVID computer variant???
Replies
9
Views
3K
Broni
Broni

Latest posts

Back