Trojans/malware detected on computer. Popups in browser.

Quick note: Avira (which reactivated itself upon reboot) still detects stuff. I've been ignoring messages from Avire because there's been no success in trying to remove anything with it as yet, so I figure if it's not helping the problem, it's best to leave it alone until I go through any processes you instruct me to do. Hope I did it right!

Okay, I did all the steps that I could do. Waiting on a reply now. Thanks once again.

Just a quick side note...

On the computer I installed Flash Disinfector, about five days later (today) AVG said it detected something bad (Flash Disinfector) and that I should remove it. I let it since I was done with it anyway. I thought perhaps that some anti-virus might think of it as a problem program. AVG also detected something called "password finder". That was removed no problem. I ran Malwarebytes full scan to be sure and it picked up on file (which I had it remove), shown in this log:

(I posted it here just because I didn't want to start a new thread if I didn't have to.)




Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.07.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
V. Aune :: NORDSKA [administrator]

3/7/2012 7:46:19 AM
mbam-log-2012-03-07 (07-46-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 316728
Time elapsed: 1 hour(s), 35 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:53636 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Please revisit the directions I left for the Flash Disinfector and note:

=======================================
Reset your browser proxies

• For Firefox:
  o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
  o Click on the "Network" tab, and then on the "Settings" button.
  o Please make sure that the "No Proxy" option is selected.
  
• For Internet Explorer:
  o Open Internet Explorer.
  o Click on "Tools" and then select "Internet Options".
  o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
  o Uncheck "Use a Proxy server for your LAN".
  o Click Ok to close the Local Area Network (LAN) Settings window.
  o Click Ok to close the Internet Options window.

======================================

If 3rd party Cookies aren't blocked, you will get the Cookies from ads and banners on other sites:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
=======================================
You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that
  a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
You'll be happy to know that Trojan.Agent/Gen-Sirefef (AKA Zero Access Rootkit) is only indicated in System Volume. It is not active in the system. This is where the restore points are kept and I will have you set clean restore point and drop old ones when we finish.
==========================================
I'm going to take a break for dinner. I'll try to get back to review Combofix later. If I don't, I'll do it in the morning.

I already have AdBlock, so that's one less step to do.

I'll get to the others as soon as I can. Thanks again!

There is an AdBlockPlus and EasyList adds more domains to block.

Is this thread only for 1 computer?

AdBlockPlus + EasyList is what I meant.

Technically, yes. I posted the thing about the Flash Disinfector because of the notice I got on the alternate computer, plus I posted the MalwareBytes log on that bad proxy because it came up at the same time as the alert about Flash Disinfector. I was pretty sure it was a false alarm (obviously I remembered that note you posted subconsciously!) but I just mentioned it here just in case. I figure I'm dealing with a virus so it's best to be sure than not. But yeah, I'm just concerned about the one (original) computer at the moment, really, so sorry for the temporary distraction.

I'm going to go ahead with the steps you mentioned (finally!). Also, is there anything more I need to do with ComboFix after having run it?

Thanks!

I ran JavaRa and told it to remove older versions of Java. It appeared to do so, and then before a log file could come up, I got the standard Windows message that "JavaRa has encountered a problem and needs to close. Etc., etc.,". Because of that I didn't yet install the newest version of Java. Should I go ahead and install it anyway despite the message? Thanks!

Nothing for you to do except to run Combofix. The rest is up to me!

Okay then. I'll just wait for further instructions then since I seem to have done everything except get Java going.

Okay, here's the deal: there 3 of these processes running:
c:\windows\system32\devldr32.exe

Added by an unidentfied malware. Note - this is not the legitimate Creative Labs process- malware is hiding under this process name. When non-Windows program files reside in the C:\Windows or C:\Windows\system32 folders, they're are not essential and are, malicious files. This is the case with Devldr32.exe. and the processes need to be removed:,

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

1. Log-on to the Administrative account.
2. Use Windows Explorer to access Computer> Double click on the Local Drive (C)
3. Scroll down to click on Windows> System 32
4. Scroll through the list of files and do a right click> Delete on Devldr32
5. Then look for the dllcache in the System 32 list
6. Find Devldr.exe and do a right click> Delete
   [*]Note: there are 3 entries of this same file in the same sections. Be sure to delete all 3

You will have to open the hidden files for the next part:

1. Open My Computer.
2. Go to Tools > Folder Options.
3. Select the View tab.
4. Scroll down to Hidden files and folders.
5. Select Show hidden files and folders.
6. Uncheck Hide extensions of known file types.
7. Uncheck Hide protected operating system files (Recommended).
8. Click Yes when prompted.
9. Click on Apply> Okay

------------------------------
Using the same path as you did above:

1. Now visible in the System 32 files: find the dllcache
2. Find the Devldr.exe file and do right click> Delete
3. Important: Go back to Folder Options> View tab and recheck 'don't shows hidden files and folders and recheck 'hide protected system files (Recommended(> Apply> OK
4. Close Windows Explorer. Reboot into Normal Mode.

=====================================
Empty the Recycle Bin
=====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code:

File::
c:\windows\system32\PerfStringBackup.TMP
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\mfehidk.sys
c:\windows\system32\drivers\mfetdi2k.sys
c:\windows\system32\drivers\mfendisk.sys
c:\program files\common files\mcafee\systemcore\mfefire.exe
c:\windows\system32\drivers\cfwids.sys
c:\windows\system32\drivers\mfesmfk.sys
c:\windows\system32\drivers\mferkdk.sys
c:\windows\system32\drivers\mfendisk.sys

FileLook::
c:\windows\svcs.exe

DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Clearjavacache::

Driver::
mfehidk
mfetdi2k
mfevtp
mfendiskmp
mfefire
cfwids
mferkdk
mfesmfk
mfendisk

Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
================================
Be sure you have removed these from the Trusted Sites:
Trusted Zone: internet
Trusted Zone: mcafee.com
If you need help, let me know.
==============================
Open Firefox> Tools> Addons> Java Console> remove Javev6u13, v6u21, v6u22, v6u23, v6u26
==============================
Check Add/Remove Programs. If there are an Java versions except v6u31, remove them.

Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
==============================
Leave the new Combofix log that will be genearted after you run the CFFix.

Let me know how the system is doing when you have finished the above.

I ran into a little discrepancy in the following, so I thought I'd better check in first. Okay, I went into WinEx, sys32 as described. I found one Devldr32.exe which I deleted (after having to shut it down in the running processes). This was the only one of that name there. I can find no folder for dllcache, so I can't find all the extra copies of devldr32.exe in there.

Just continue on with the next steps, or am I missing something here?

EDIT: Just curious, what's svchost do? I have three of those running!

EDIT2: I just looked at hidden files to see what was there (yes, dllcache was there!) but there was no Devldr32.exe anywhere to be seen.

Thanks!

Okay, you can stop with the Devldr32 search for now. Be sure to re-hide the files and folders.

FYI:

Courtesy Neuber

I have 9 entries of svchost.exe running most of the time> all legit, all clean.
==============================
Please go on with the remaining directions.

ComboFix Log:



ComboFix 12-03-06.01 - Christopher Aune 03/16/2012 12:54:43.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2756 [GMT -5:00]
Running from: c:\documents and settings\Christopher Aune\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christopher Aune\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\program files\common files\mcafee\systemcore\mfefire.exe"
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\system32\drivers\cfwids.sys"
"c:\windows\system32\drivers\mfehidk.sys"
"c:\windows\system32\drivers\mfendisk.sys"
"c:\windows\system32\drivers\mferkdk.sys"
"c:\windows\system32\drivers\mfesmfk.sys"
"c:\windows\system32\drivers\mfetdi2k.sys"
"c:\windows\system32\PerfStringBackup.TMP"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\veteboot.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-16 to 2012-03-16 )))))))))))))))))))))))))))))))
.
.
2012-03-06 21:21 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-03-06 21:10 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-06 18:44 . 2012-03-06 18:44 -------- d-----w- c:\documents and settings\Christopher Aune\Application Data\SUPERAntiSpyware.com
2012-03-06 18:43 . 2012-03-06 18:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-06 18:43 . 2012-03-06 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-02-25 02:04 . 2012-02-25 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-02-25 02:04 . 2012-02-25 02:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-18 05:56 . 2012-02-18 05:56 -------- d-----w- c:\documents and settings\Christopher Aune\Application Data\Avira
2012-02-18 05:55 . 2012-02-25 01:58 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-18 05:55 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-02-18 05:55 . 2011-09-16 05:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-02-18 05:55 . 2012-02-18 05:55 -------- d-----w- c:\program files\Avira
2012-02-18 05:55 . 2012-02-18 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-02-18 04:35 . 2012-02-18 04:35 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-17 21:18 . 2012-02-17 21:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-02-16 18:14 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 18:14 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 08:43 . 2012-01-25 08:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-31 00:31 . 2011-12-31 00:34 286720 ----a-w- c:\windows\iun504.exe
2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-06_21.27.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-16 17:58 . 2012-03-16 17:58 16384 c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2006-02-28 12:00 . 2012-03-12 19:35 90880 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2012-03-12 19:35 509496 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioHQ"="c:\program files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" [2000-05-11 205312]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2009-11-30 190024]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Christopher Aune\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\X-Chat 2\\xchat.exe"=
"c:\\Program Files\\WarZone\\LobbyClient.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\LucasArts\\Outlaws\\olwin.exe"=
"c:\\Program Files\\GOGcom\\Sid Meiers Alpha Centauri\\terran.exe"=
"c:\\Program Files\\MySQL\\MySQL Server 5.1\\bin\\mysqld.exe"=
"c:\\Program Files\\MySQL\\MySQL Server 5.5\\bin\\mysqld.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2/18/2012 12:55 AM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/18/2012 12:55 AM 86224]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [1/7/2009 1:03 PM 80392]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
apache
vstor2-ws60
ati2mtaa
regspy
artdhcp
aswrdr
AtlsAud
wdm_au8820
CamAv
tosrfusb
SunkFilt39
wg5n
videoacceleratorengine
DCamUSBDXGTech
svcwmu
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.25.1
FF - ProfilePath - c:\documents and settings\Christopher Aune\Application Data\Mozilla\Firefox\Profiles\qy824k2u.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-16 13:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB10740$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WININET.dll
c:\program files\MessengerPlus! 3\MsgPlusLoader.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\avira\antivir desktop\ipmGui.exe
.
**************************************************************************
.
Completion time: 2012-03-16 13:02:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-16 18:02
ComboFix2.txt 2012-03-06 21:31
.
Pre-Run: 378,992,762,880 bytes free
Post-Run: 378,985,099,264 bytes free
.
- - End Of File - - AF879E3634540A633CA055B9F4CAE53D

Okay. First, when I loaded back in normal mode, there was nothing in the recycle bin, so I couldn't quite empty what I had deleted in Safe Mode. Should I have gone back into safe mode to put it in the recycle bin? (I didn't)

ComboFix ran on reduced functionality because it said that I hadn't the latest version. It seemed to run okay though. The log is above.

I will proceed with the other steps now.

Okay, I removed the old Java and installed the new one. That should be it for the steps. While uninstalling the old versions of Java, Avira came up with a message:

As far as the system, it's running well online and (so far) I haven't had any redirects, though I haven't used google for searches either (which is where I get most redirects). Devlrd isn't running anymore either, so I guess that's good. Still wondering if it's sitting in the Safe Mode admin recycle bin though.

Resident virus programs don't distinguish where an entry is. The entry might be in System Volume which is where the restore points are kept. It is no longer active in the system and I have you set new clean restore point and drop the old ones when we finish. Keep in mind that you have been instructed not to do a System Restore.

For instance, this is from Superantispyware:

The entry may also be in the Qoobox> this is where Combofix sends the quarantined files. Same as above> no longer avtive, will be removed when Combfix is uninstalled.

Long way to say ignore Avira for now.
======================================
But you do need to run this Eset Online Virus scan:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

ESETScan said there was something found. Here's the complete "log":

Avira keeps saying it finds stuff (two things this time) but I'm ignoring it for now as you directed.

As always, thanks for the help.

Please post entire Eset log.

Don't worry about Avira. Don't even run Avira while I'm helping you.

That WAS the entire log that it gave me. Word for word.

Please update and rerun the Eset scan. Hopefully there will be a bit more text to see. While the entry you left can be found, I have never seen it post as a single line with no other text.