Inactive Virus? Safe mode screen is 3/4 blocked

Status
Not open for further replies.

steveow

Posts: 67   +0
1st, Many thanks to be able to come here for help....again.

My teenage son and his buddies really did it this time.
They were browsing smut on 'my' PC when I was out of town and my side business is stalled until I get it fixed.

I have:
Windows XP Pro on Sony Vaio
Internet Explorer
I have Malware Bytes, Avira Anti Virus PE and SuperAntispyware installed when you folks helped me out in 08' with the 8 steps. Computer has worked like a charm ever since.

NOW
When I turn on the PC I only get "Think Point" on my screen....nothing else. Now the problem I'm having when I go to Safe Mode hoping to try and fix this is that same Think Point picture (about 8"X11" sideways) is in the middle of my screen...can't see anything behind it. I've been able to run Malware on Quick Scan because I can see the option to the left, but when I click full scan it will not work . When I opened Avira I did see Avira's start scan option poking out the side of the Think Point banner, but it doesn't do anything when I click it.
My desktop icons only show in Safe Mode, but I have to do Ctrl/Alt/Del and then X it out and then the desktop pops up......strange.

Many thanks in advance.
steveow
 
See how much you can do of this:
ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe so we will stop it:

  1. Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  2. End Task
    Click on Start> Run> type in taskmgr> OK.
    Double click on the frame at the top of the Processes column to sort
    Find hotfix.exe and click to Highlight
    Click on End Task
  3. Unhide
    Click on Start> Search> All Files and Folders
    Go up to Tools> Folder Options
    Click on the View tab
    Check 'Show hidden files and folders'
    Uncheck 'Hide protected operating system files (Recommended)'
    Click on OK> Apply> OK
  4. Search
    Go to Search> 'all or part of the name'
    Type in hotfix.exe
    (It should be found in this folder: C:\Documents and Settings\User\Application Data\hotfix.exe
    Do a right click> Delete on the file
  5. Rehide the files and folders.
Close
===============================================
Reboot the computer back into Normal Mode
==============================================
 
awesome!!!!!
It worked. The only thing was #4...after App Data\hotfix.exe there wasn't a hotfix.exe in there. A search found nothing either.

I restarted and "Think Point" banner is still on Normal Mode's screen. I'm assuming you're guiding me from here?

sincerely, steveow
 
Bobbye,
Ok, I assumed to do the same in normal mode and I'm back at my own computer. :)
In the meantime I'm gonna run SuperAnti etc. and wait for your next directions.
 
Okay, let's do the rest - these have changed a bit since you last used: please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply. We also required logs to be pasted in the reply now and multiple replies can be used if needed. We'll find and get rid of the banner. In fact, I'll give you some tips that would have blocked it in the first place! Remind me.

There will be some other entries to remove, so let's get these logs out first.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Virus? Safe mode is 3/4 blocked

Back after the holiday.

1st I'll give a little info before the pastes.
I'm still having intermittant internet connections. Safe mode will not connect. In Normal Mode sometimes the desktop is blank except for the background picture. Connection to the net via "Start to Internet Explorer" will Redirect me to "You're a $1000 Winner at Walmart". Connection via desktop Yahoo Email does not redirct me, but this only worked AFTER I ran SuperAntiSpyware in Safe Mode which found 120 infections and that allowed me to connect to the internet via Normal Mode. Hope this info helps some.

(Note: I'm not quite sure if you need the DDS file that needs to be attached via Zip folder....if so, how do I Zip it? I did attach the other one.)

Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 3

11/29/2010 2:25:41 PM
mbam-log-2010-11-29 (14-25-41).txt

Scan type: Quick Scan
Objects scanned: 130122
Time elapsed: 23 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
**********************************************************************************
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-29 20:43:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD2000JD-98HBB0 rev.08.02D08
Running: hj7ml28w.exe; Driver: C:\DOCUME~1\STEVER~1\LOCALS~1\Temp\kxdiyfoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 390721712 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A306292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A306292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A306292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A306292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A306292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A306292
Device \Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
******************************************************************************************
**DDS**
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\V CAST Media Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\steve r warner\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {F35CE83E-9EBF-40D5-AE87-53F982389740} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion deluxe 3.0\calcheck.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\stever~1\startm~1\programs\startup\vcastm~1.lnk - c:\program files\v cast media manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-11-30 00:34:33 -------- d-----w- C:\Adobe
2010-11-20 01:35:35 239 ----a-w- c:\docume~1\stever~1\applic~1\scgdfgasfbh.bat

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2000JD-98HBB0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-17 -> \??\IDE#DiskWDC_WD2000JD-98HBB0_____________________08.02D08#4457572d4143384c383136333433_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A310292
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 21:18:29.70 ===============
 
I'm on a different computer.
What a mess! The earlier pastes (scans from last night) may be of little consequence because now I can't even connect to the net without being redirected to the $1000 Walmart Winner. Now after each redirection I had to unplug the computer due to freeze up and then I ran SuperAntiSpyware each time and it found 70, 35 and 27 infections . At this time I'm running the Full Scan and it's finding more infections. Each time the Malware Scan and Avira Scan found zero infections. Interesting that I couldn't update Malwarebytes because it didn't ever do anything, but after running the first SuperSpyware I opened Malware and this time it ran updates. Either way there's was still no infections.
Here's something interesting regarding Firewall....during one of the restarts, which takes at least 5 minutes, I noticed my Comodo icon on the bottom right said my firewall was disabled. I opened it up and it's checked Enabled.

I hope some of this info helps.
signed, *^&%!!!
 
Download the following program to a flash drive, then run it on the problem computer:

  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
===========================================
If you can get on and stay long enough, run this online virus scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
thanks, Bobbye

It's 7:40 PST.
I'll give it a go on my computer.

FYI as it may be of importance.
Last night I just unplugged the internet cable because it seemed infections were starting right after a reboot or a start without touching anything.
****So after I unplugged the cable I ran Avira, MalwareBytes Full Scan and SuperAntiSpyware Full Scan. Avira found nothing, but Malware Full Scan found a Trogan that Quick Scan didn't find and of course SASpyware found 17 more infections. With the internet unplugged I ran MalwareBytes, TFC, GMER and DDS. There were RootKit problems. I wasn't sure whether to try and paste or not.
 
ESET paste below.

Still being redirected to "Walmart 1000 dollar Winner", however, my computer is now running faster and I'm on it :)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-02 05:18:54
# local_time=2010-12-01 09:18:54 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=1792 16777191 100 0 56534871 56534871 0 0
# compatibility_mode=3586 16764926 0 1 116460142 116460142 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108069
# found=1
# cleaned=1
# scan_time=3152
C:\Documents and Settings\steve's other documents\Local Settings\Application Data\CyberDefender\sssTbar.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
******************************************************************************************************************
 
Please do not start any other threads about this problem. The second thread has been closed.

Considerable searching brought about some sites to put in the restricted zone:
Access Internet Options through the Control Panel or Tools in IE: Security tab> Restricted Sites> put each of the following in exactly as I have them> Click on Block after each:
*.cowonglobal.com
*.pcmike.com
*.walmart.com
*.pcmike.com

Click on Apply> OK

If you get a message saying any are already in another zone, Exit the Restricted Zone and enter the Trusted Sites> Sites> Remove all content in this zone.
Then put the above sites in the Restricted Zone.

Do you have or are you using the Cowon's X7 PMS? It's portable media like a Smart Phone

After you do this, you need to delete all of your Cookies and temporary internet files. This and the above can all be done disconnected from the internet or you can boot into Safe Mode

I need to see the TDSSKiller log.
When you connect again to the internet, I'd like a new scan with Eset online virus scanner. Do not check for removal of the entries. I can do that with a special program that will remove associated files.
==============================================
Just so you know: I do find it aggravating though that you are gone for a week, then come back and post "Back after the holiday".
19 hours ago I asked you to run TDSSKiller.zip and the Eset online scan. You disconnected from the internet and did not run it. The directions for the Eset scan state:
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
but the entries it found show "(cleaned by deleting - quarantined)"

You have a TDL4 rootkit malware infection
I instructed you to: Download the following program to a flash drive, then run it on the problem computer:
* Download the file TDSSKiller.zip and save to the desktop.
Instead of posting the log for me to check, you state:
With the internet unplugged I ran MalwareBytes, TFC, GMER and DDS. There were RootKit problems. I wasn't sure whether to try and paste or not.

Ignore the Superantispyware find of Tracking Cookies. They are insignificant right now. Try to get out of panic mode and work with me to get the system cleaned up. Right now you aren't able to determine what is and is not important now

Hopefully the air is clear and we can proceed. Rootkits are very tenacious malware. They are not easy to remove and special programs have to be run.
 
I apologize for my apparent ADHD. Running back and forth to my friends PC was crazy.
==================================================================
2010/12/02 17:17:39.0234 SystemInfo:
2010/12/02 17:17:39.0234
2010/12/02 17:17:39.0234 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/02 17:17:39.0234 Product type: Workstation
2010/12/02 17:17:39.0234 ComputerName: STEVE-0B6026E53
2010/12/02 17:17:39.0234 UserName: steve r warner
2010/12/02 17:17:39.0234 Windows directory: C:\WINDOWS
2010/12/02 17:17:39.0234 System windows directory: C:\WINDOWS
2010/12/02 17:17:39.0234 Processor architecture: Intel x86
2010/12/02 17:17:39.0234 Number of processors: 2
2010/12/02 17:17:39.0234 Page size: 0x1000
2010/12/02 17:17:39.0234 Boot type: Normal boot
2010/12/02 17:17:39.0234 ================================================================================
2010/12/02 17:17:39.0515 Initialize success
2010/12/02 17:17:44.0359 ================================================================================
2010/12/02 17:17:44.0359 Scan started
2010/12/02 17:17:44.0359 Mode: Manual;
2010/12/02 17:17:44.0359 ================================================================================
2010/12/02 17:17:46.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/02 17:17:46.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/02 17:17:46.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/02 17:17:46.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/02 17:17:46.0593 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/12/02 17:17:47.0000 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/02 17:17:47.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/02 17:17:47.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/02 17:17:47.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/02 17:17:47.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/02 17:17:47.0718 avgio (afa456a6210abe5798561a5758517340) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
2010/12/02 17:17:47.0828 avgntflt (906f73c4f6b8ba5daabc41a1f04cecfe) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
2010/12/02 17:17:47.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/02 17:17:48.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/02 17:17:48.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/02 17:17:48.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/02 17:17:48.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/02 17:17:48.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/02 17:17:48.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/02 17:17:48.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/02 17:17:49.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/02 17:17:49.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/02 17:17:49.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/02 17:17:49.0375 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/02 17:17:49.0500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/02 17:17:49.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/02 17:17:49.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/02 17:17:49.0734 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/02 17:17:49.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/02 17:17:49.0921 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2010/12/02 17:17:50.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/02 17:17:50.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/02 17:17:50.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/02 17:17:50.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/02 17:17:50.0359 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/12/02 17:17:50.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/02 17:17:50.0546 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/02 17:17:50.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/02 17:17:50.0890 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/02 17:17:50.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/02 17:17:51.0234 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/02 17:17:51.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/02 17:17:51.0406 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/02 17:17:51.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/02 17:17:51.0609 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/02 17:17:51.0687 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/02 17:17:51.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/02 17:17:51.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/02 17:17:51.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/02 17:17:51.0984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/02 17:17:52.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/02 17:17:52.0109 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/02 17:17:52.0171 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/02 17:17:52.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/02 17:17:52.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/02 17:17:52.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/02 17:17:53.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/02 17:17:53.0468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/02 17:17:53.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/02 17:17:53.0703 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/02 17:17:53.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/02 17:17:53.0937 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/02 17:17:54.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/02 17:17:54.0078 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/02 17:17:54.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/02 17:17:54.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/02 17:17:54.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/02 17:17:54.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/02 17:17:54.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/02 17:17:54.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/02 17:17:54.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/02 17:17:54.0656 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/02 17:17:54.0703 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/02 17:17:54.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/02 17:17:54.0937 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/02 17:17:55.0000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/02 17:17:55.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/02 17:17:55.0203 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/02 17:17:55.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/02 17:17:55.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/02 17:17:55.0437 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/02 17:17:55.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/02 17:17:55.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/02 17:17:55.0671 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/02 17:17:55.0750 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/02 17:17:55.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/12/02 17:17:55.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/02 17:17:56.0343 pfc (957b82ec80ad7ead64e5e47df6b0dc40) C:\WINDOWS\system32\drivers\pfc.sys
2010/12/02 17:17:56.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/02 17:17:56.0531 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/02 17:17:56.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/02 17:17:56.0687 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/02 17:17:56.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/02 17:17:57.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/02 17:17:57.0125 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/02 17:17:57.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/02 17:17:57.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/02 17:17:57.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/02 17:17:57.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/02 17:17:57.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/02 17:17:57.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/02 17:17:57.0687 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/12/02 17:17:57.0796 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/02 17:17:58.0000 SASDIFSV (c030c9a39e85b6f04a8dd25d1a50258a) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/02 17:17:58.0062 SASENUM (e9c2d75c748c3f0a4c34d6cf2ae1d754) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/02 17:17:58.0140 SASKUTIL (64c100dbf57c6cb6e7d5d24153f5e444) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/02 17:17:58.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/02 17:17:58.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/02 17:17:58.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/02 17:17:58.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/02 17:17:58.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/02 17:17:58.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/02 17:17:59.0046 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/12/02 17:17:59.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/02 17:17:59.0218 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/02 17:17:59.0484 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/02 17:17:59.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/02 17:17:59.0703 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/02 17:17:59.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/02 17:17:59.0843 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/02 17:18:00.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/02 17:18:00.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/02 17:18:00.0312 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2010/12/02 17:18:00.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/02 17:18:00.0500 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2010/12/02 17:18:00.0578 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/02 17:18:00.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/02 17:18:00.0718 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2010/12/02 17:18:00.0812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/02 17:18:00.0890 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/02 17:18:01.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/02 17:18:01.0078 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/02 17:18:01.0140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/02 17:18:01.0281 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/02 17:18:01.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/02 17:18:01.0546 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/02 17:18:01.0812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/12/02 17:18:01.0953 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/02 17:18:02.0062 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/02 17:18:02.0328 ================================================================================
2010/12/02 17:18:02.0328 Scan finished
2010/12/02 17:18:02.0328 ================================================================================
2010/12/02 17:17:39.0234 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/12/02 17:17:39.0234 ================================================================================
2010/12/02 17:17:39.0234 SystemInfo:
2010/12/02 17:17:39.0234
2010/12/02 17:17:39.0234 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/02 17:17:39.0234 Product type: Workstation
2010/12/02 17:17:39.0234 ComputerName: STEVE-0B6026E53
2010/12/02 17:17:39.0234 UserName: steve r warner
2010/12/02 17:17:39.0234 Windows directory: C:\WINDOWS
2010/12/02 17:17:39.0234 System windows directory: C:\WINDOWS
2010/12/02 17:17:39.0234 Processor architecture: Intel x86
2010/12/02 17:17:39.0234 Number of processors: 2
2010/12/02 17:17:39.0234 Page size: 0x1000
2010/12/02 17:17:39.0234 Boot type: Normal boot
2010/12/02 17:17:39.0234 ================================================================================
2010/12/02 17:17:39.0515 Initialize success
2010/12/02 17:17:44.0359 ================================================================================
2010/12/02 17:17:44.0359 Scan started
2010/12/02 17:17:44.0359 Mode: Manual;
2010/12/02 17:17:44.0359 ================================================================================
2010/12/02 17:17:46.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/02 17:17:46.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/02 17:17:46.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/02 17:17:46.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/02 17:17:46.0593 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/12/02 17:17:47.0000 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/02 17:17:47.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/02 17:17:47.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/02 17:17:47.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/02 17:17:47.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/02 17:17:47.0718 avgio (afa456a6210abe5798561a5758517340) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
2010/12/02 17:17:47.0828 avgntflt (906f73c4f6b8ba5daabc41a1f04cecfe) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
2010/12/02 17:17:47.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/02 17:17:48.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/02 17:17:48.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/02 17:17:48.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/02 17:17:48.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/02 17:17:48.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/02 17:17:48.0843 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/02 17:17:48.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/02 17:17:49.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/02 17:17:49.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/02 17:17:49.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/02 17:17:49.0375 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/02 17:17:49.0500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/02 17:17:49.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/02 17:17:49.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/02 17:17:49.0734 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/02 17:17:49.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/02 17:17:49.0921 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2010/12/02 17:17:50.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/02 17:17:50.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/02 17:17:50.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/02 17:17:50.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/02 17:17:50.0359 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/12/02 17:17:50.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/02 17:17:50.0546 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/02 17:17:50.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/02 17:17:50.0890 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/02 17:17:50.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/02 17:17:51.0234 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/02 17:17:51.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/02 17:17:51.0406 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/02 17:17:51.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/02 17:17:51.0609 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/02 17:17:51.0687 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/02 17:17:51.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/02 17:17:51.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/02 17:17:51.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/02 17:17:51.0984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/02 17:17:52.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/02 17:17:52.0109 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/02 17:17:52.0171 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/02 17:17:52.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/02 17:17:52.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/02 17:17:52.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/02 17:17:53.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/02 17:17:53.0468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/02 17:17:53.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/02 17:17:53.0703 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/02 17:17:53.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/02 17:17:53.0937 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/02 17:17:54.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/02 17:17:54.0078 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/02 17:17:54.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/02 17:17:54.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/02 17:17:54.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/02 17:17:54.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/02 17:17:54.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/02 17:17:54.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/02 17:17:54.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/02 17:17:54.0656 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/02 17:17:54.0703 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/02 17:17:54.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/02 17:17:54.0937 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/02 17:17:55.0000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/02 17:17:55.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/02 17:17:55.0203 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/02 17:17:55.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/02 17:17:55.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/02 17:17:55.0437 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/02 17:17:55.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/02 17:17:55.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/02 17:17:55.0671 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/02 17:17:55.0750 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/02 17:17:55.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/12/02 17:17:55.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/02 17:17:56.0343 pfc (957b82ec80ad7ead64e5e47df6b0dc40) C:\WINDOWS\system32\drivers\pfc.sys
2010/12/02 17:17:56.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/02 17:17:56.0531 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/02 17:17:56.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/02 17:17:56.0687 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/02 17:17:56.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/02 17:17:57.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/02 17:17:57.0125 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/02 17:17:57.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/02 17:17:57.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/02 17:17:57.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/02 17:17:57.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/02 17:17:57.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/02 17:17:57.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/02 17:17:57.0687 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/12/02 17:17:57.0796 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/02 17:17:58.0000 SASDIFSV (c030c9a39e85b6f04a8dd25d1a50258a) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/02 17:17:58.0062 SASENUM (e9c2d75c748c3f0a4c34d6cf2ae1d754) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/02 17:17:58.0140 SASKUTIL (64c100dbf57c6cb6e7d5d24153f5e444) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/02 17:17:58.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/02 17:17:58.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/02 17:17:58.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/02 17:17:58.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/02 17:17:58.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/02 17:17:58.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/02 17:17:59.0046 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/12/02 17:17:59.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/02 17:17:59.0218 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/02 17:17:59.0484 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/02 17:17:59.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/02 17:17:59.0703 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/02 17:17:59.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/02 17:17:59.0843 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/02 17:18:00.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/02 17:18:00.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/02 17:18:00.0312 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2010/12/02 17:18:00.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/02 17:18:00.0500 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2010/12/02 17:18:00.0578 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/02 17:18:00.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/02 17:18:00.0718 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2010/12/02 17:18:00.0812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/02 17:18:00.0890 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/02 17:18:01.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/02 17:18:01.0078 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/02 17:18:01.0140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/02 17:18:01.0281 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/02 17:18:01.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/02 17:18:01.0546 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/02 17:18:01.0812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/12/02 17:18:01.0953 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/02 17:18:02.0062 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/02 17:18:02.0328 ================================================================================
2010/12/02 17:18:02.0328 Scan finished
2010/12/02 17:18:02.0328 ================================================================================
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-03 01:06:20
# local_time=2010-12-02 05:06:20 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=1792 16777175 100 0 56606217 56606217 0 0
# compatibility_mode=3586 16764926 0 1 116531488 116531488 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114889
# found=7
# cleaned=0
# scan_time=3052
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I
 
Here's the ESET scan:

esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c690de05c0d0fd45a7b5e4ee0e5700b4
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-03 01:06:20
# local_time=2010-12-02 05:06:20 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=1792 16777175 100 0 56606217 56606217 0 0
# compatibility_mode=3586 16764926 0 1 116531488 116531488 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114889
# found=7
# cleaned=0
# scan_time=3052
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan 00000000000000000000000000000000 I

I think it was too long, so I added this second reply.

Thanks,
steveow
 
Was there anything after this in the TDSSKiller log?
2010/12/02 17:18:02.0328 =======================
2010/12/02 17:18:02.0328 Scan finished
2010/12/02 17:18:02.0328 =========================================
But immediately following the above is: esets_scanner_update returned -1 esets_gle=53251 and another Eset log in the next post.
The log you left appears to have several sections saying TDSS rootkit removing tool 2.4.10.0. The end should show what was found and the action taken. That past is missing

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Processes	
    :Files  
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta 
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta 
    C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta 
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta 
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta 
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta 
    C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

What is the status of the system now? Any changes? Did the restrictions I had you put in stop the Walmart popup?
 
Got the Paste below.
Sorry about the missing paste. It appeared to be too long and I thought I split it up correctly.
Anyway, my computer is working at lightening speed once again. Thank you, Bobbye.
No more popups or spying etc. and Avira is automatically updating like it used to.

You mentioned in your first post to remind you on how to stop this from happening in the first place. **Oh, I'm not running Cowon's X7 PMS.
Thanks so much.

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0006.dta moved successfully.
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0007.dta moved successfully.
C:\TDSSKiller_Quarantine\01.12.2010_21.32.51\boot0000\tdlfs0000\tsk0008.dta moved successfully.
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta moved successfully.
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta moved successfully.
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0006.dta moved successfully.
C:\TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0007.dta moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gabriel Warner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 146097451 bytes
->Flash cache emptied: 9480 bytes

User: Owner

User: steve r warner
->Temp folder emptied: 326658076 bytes
->Temporary Internet Files folder emptied: 19124968 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 18458 bytes

User: Steve Warner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: steve's documents

User: steve's other documents
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13330073 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2482589 bytes

Total Files Cleaned = 484.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 12032010_221133

Files moved on Reboot...

Registry entries deleted on Reboot...
 
So Walmart finally packed up and left! Awesome! Run this last scan for me and then I'l have you remove the cleaning tools and logs:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:22:11 PM, on 12/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\V CAST Media Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\steve r warner\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: V CAST Media Monitor.lnk = C:\Program Files\V CAST Media Manager\MEMonitor.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: .update.microsoft.com[/url]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://svca.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 9302 bytes
 
***** Bobbye****
My side business is custom harmonica microphones and vintage mics and a little while ago I was searching for a rare mic (Shure PE5h) and I ended up getting hit with a few virus warnings from Avira. I immediately closed all programs and ran another virus scan that found the other 2. I assume all is good, but I pasted here to see if you think all is ok.

The highlighted link took me to udu.3.3web.me/Shure-PE5h


Avira AntiVir Personal
Report file date: Saturday, December 04, 2010 18:52

Scanning for 3118676 virus strains and unwanted programs.

Licensed to: Avira AntiVir Personal - FREE Antivirus
Serial number: 0000149996-ADJIE-0000001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: STEVE-0B6026E53

Version information:
BUILD.DAT : 8.2.0.354 17048 Bytes 2009/10/23 13:15:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 2008/11/18 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008/05/26 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 2008/06/12 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 2008/05/26 16:58:52
ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 2009/11/06 03:47:07
ANTIVIR1.VDF : 7.10.13.83 22449008 Bytes 2010/11/02 20:36:06
ANTIVIR2.VDF : 7.10.14.181 1668000 Bytes 2010/12/03 05:15:49
ANTIVIR3.VDF : 7.10.14.189 37888 Bytes 2010/12/03 05:15:50
Engineversion : 8.2.4.120
AEVDF.DLL : 8.1.2.1 106868 Bytes 2010/08/31 18:39:53
AESCRIPT.DLL : 8.1.3.48 1286524 Bytes 2010/12/03 04:07:56
AESCN.DLL : 8.1.7.2 127349 Bytes 2010/11/22 23:17:29
AESBX.DLL : 8.1.3.2 254324 Bytes 2010/11/22 23:17:28
AERDL.DLL : 8.1.9.2 635252 Bytes 2010/09/22 17:14:05
AEPACK.DLL : 8.2.4.1 512375 Bytes 2010/12/03 04:07:52
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 2010/11/22 23:17:26
AEHEUR.DLL : 8.1.2.52 3109238 Bytes 2010/12/04 05:16:01
AEHELP.DLL : 8.1.16.0 246136 Bytes 2010/12/03 04:07:38
AEGEN.DLL : 8.1.5.0 397685 Bytes 2010/12/03 04:07:36
AEEMU.DLL : 8.1.3.0 393589 Bytes 2010/11/22 23:17:11
AECORE.DLL : 8.1.19.0 196984 Bytes 2010/12/03 04:07:34
AEBB.DLL : 8.1.1.0 53618 Bytes 2010/08/31 18:39:27
AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008/07/09 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 2008/05/16 18:28:01
AVREP.DLL : 8.0.0.7 159784 Bytes 2010/08/31 18:39:26
AVREG.DLL : 8.0.0.1 33537 Bytes 2008/05/09 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008/02/12 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008/06/12 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2010/10/12 22:21:58
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008/06/12 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 2008/01/25 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008/06/12 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008/06/27 22:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, December 04, 2010 18:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'mshta.exe' - '1' Module(s) have been scanned
Scan process 'mshta.exe' - '1' Module(s) have been scanned
Scan process 'mshta.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'MEMonitor.exe' - '1' Module(s) have been scanned
Scan process 'NkbMonitor.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'MMonitor.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnf.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'dlcxcoms.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnd.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'cssurf.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'CalCheck.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
43 processes with 43 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\_OTM\MovedFiles\12032010_221133\C_TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0003.dta
[DETECTION] Is the TR/Agent.8704.76 Trojan
[NOTE] The file was moved to '4d660ead.qua'!
C:\_OTM\MovedFiles\12032010_221133\C_TDSSKiller_Quarantine\02.12.2010_14.36.42\boot0000\tdlfs0000\tsk0005.dta
[DETECTION] Is the TR/Alureon.12288.X Trojan
[NOTE] The file was moved to '4d660eb0.qua'!


End of the scan: Saturday, December 04, 2010 19:59
Used time: 1:08:03 Hour(s)

The scan has been done completely.

15079 Scanning directories
402526 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
402523 Files not concerned
1954 Archives were scanned
1 Warnings
2 Notes
 
The Avira Alerts probably had to do with something undesirable of the site you searched on. Perhaps in looking for something rare, you didn't have a good selections of search sites.

And the Avira scan only showed entries that have been handled already- nothing new. Unfortunately, the AV authors don't write 'location' into their programs so even if it's not active, it shows. The TDSSKiller entries were found and quarantined and the files were move in OTMoveIt. No longer active, but both showing in Avira.

Do you realize that you have 6 digital imaging programs running?
Kodak EasyShare
Nikon PictureProject
Hewlett-Packard\HP Share-to-Web
ArcSoft
PhotoExplosionCalCheck
OLYMPUS Master

Two of these programs, EasyShare and Nikon are set to Global startup. That means that no matter who used the computer, what account is used, that the programs will start. Even if you use these in your side business, you can't use them all at the same time- so why have them running?
And they're from different manufacturers. I would recommend removing them all from the startup menu and using All Programs to launch the one you want at that time. It's a big waste of resources to have these all start on boot and run in the background.

They add up to a total of 15 entries! What do you suppose you could do with all those freed-up resources?!

Let me know about this. If you would like to take any of the 6 off of Startup, do that and then I add those entries to the processes for you to check in the HijackThis log.
 
Woh! Thanks for the info.
You're the expert, so whatever you think is best I'll go with that.
Now:
Olympus was an old camera, so I just deleted it.
Nikon?? My girlfriend had a Nikon with a lost USB cord, so I put her memory card in my Kodak camera to put her pictures on my PC and all pics were transferred back to her PC. If my PC doesn't need it then let's remove it completely.

For my pictures: All I want to keep is PhotoExplosion and the Kodak program. I have a few hundred pics in Olympus 2, but I think all of those are in My Pictures program. As long as I know for sure all of those pics are transferred to my PC then I can remove Olympus 2 from my PC completely.

ArcSoft....dont' even know what that is. If I don't need it(?) then let's delete it off my PC.
I have an HP scanner, but the share to web? If my PC doesn't need then let's remove completely from my PC.

Q. what is Xiph.org? It's in All Programs.

thanks,
steveow
 
If you're not using the program, it should be uninstalled. That does not mean you have to delete any of the pictures. When you transfer pictures from the camera, the Hardware Wizard will open for the camera and you allow the computer to accept it. Be sure the PlugNPlay Service is set to Automatic Startup. But any image folders won't be affected. If you have old images still on the system, you can delete what you want yourself.

Following the processes for you to check in HJT, please refer to Startup Cleanup to finish. Please print it out to make it easier to follow.

Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (See Note 1)
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (See Note 2)
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (See Note 3)
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found (Note 2)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Note 1)

Close all Windows except HijackThis ans click on "Fix Checked."
============================================
Descriptions:
Note 1:The ACDaemon is automatically started when the ArcSoft Connect application is started. This program is a non-essential system process. Removing it from startup can significantly increase your computer’s performance and reliability.

Note 2: I'm having you remove Superantispyware because it has bad Registry entry. You can download the free version again HERE, but know that SUPERAntiSpyware Free Edition does not include real-time blocking or scheduled scanning.

Note 3: "HP's exclusive Share-to-Web software makes it easy to share content with others through our affiliate Internet websites." In other words an application that allows users to upload scanned images to their personal webpages if desired. Available via Start -> Programs
=================================
Startup Cleanup
NOTE: I'm using NAME of PROGRAM as an example below because I wanted to give you the path for a related Service.. But the same path and process can be used for any program. I wanted you to understand where to look and what to do.

  • [1].Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    [2]. Take off Startup: All of the image related processes, all Askbar/Ask.com entries
  • Start> Run> type in msconfig>enter> Selective Startup> Startup menu>
  • Uncheck any process you don't want to start on boot>
  • When finished with all the unchecking> click on Apply> OK
    (Example: you decide you don't need NAME of PROGRAM to start on boot: so you Uncheck NAME of Process

    [3]. Uninstall a program: Nikon, Olympus, ARCSoft, Askbar
  • Start> Settings> Control Panel> Add/Remove Programs> uninstall here> Close
    (But you don't want to uninstall the EasyShare so you leave it- you can start it as needed)

    [4]. Remove program folder (only if program is uninstalled (Nikon, Olympus, ARCSoft, Ask)>
  • Access Windows Explorer:[/B] Right click on Start> Explore:
  • Open My Computer> double click on Local Drive (C)> Programs
  • Find the folder for any program you uninstalled> do a right click> Delete on each folder.
  • Close Windows Explorer.

    [5]. Change Service Startup type
  • Start> Run> type in services.msc
  • Double click the Service> Change the Startup type as follows:
    [o]For a Service related to a program you will use as needed but does no start on boot> Manual ( if Kodak EasyShare or PhotoExplosion has a Service, set to Manual
    [o]For a Service related to a program you have uninstalled> Disable Startup type> stop Service (ArcSoft Connect Daemon)
  • Close Services.
(Example:C:\Program Files NAME [/b] has a Service that will start it automatically, but you want to change that: so you find SERVICE name in the Services and double-click:Change Automatic to Manual)

Reboot the computer back into Normal Mode: NOTE: the first time you reboot after using msconfig, you get a nag message that you can ignore and close after checking 'don show this message again.' Stay in Selective Startup.

Summary:

  • [1]. Boot into Safe Mode first.
    [2]. Uncheck the process on the Start menu to stop the process from starting on boot.
    [3]. uninstall any program or app you don't need or use,
    [4]..Remove the program folder if you uninstalled the program.
    [5]. Change any associated Service to either Disabled or Manual Startup.

This is not complicated! It's step by step, easy to follow.
Let me know when you've finished and we'll clean up.
 
OK, bobbye, it's done. However, some programs in Add/Romove would not remove while in safe mode. The ones that didn't I went to normal mode and then right back to safe mode.
Now in safe mode Services.msc I accidentally single clicked on the manual/auto tab and everything went to auto. I then reclicked it hoping to get back to how it was, but no dice as it changed everything to manual. Not sure how, but the first 30 or 40 are in manual and then some are disabled and then the rest are auto. I don't know what to do there. Is it possible that they were restored to how they were when I got there but just in order of manual or auto?
Most of those programs I don't even know what the heck they are.
Now what?
 
Fri. 4:22pm. I just turned my computer on for the first time since last night and that dang $1000 Walmart Winner banner appeared again. And for some reason most of the spam garbage is entering my sbcglobal.net email.
I will head over to the restricted sites and see if that works. I'm learning
 
If you didn't put these domains in the restricted Sites, please do it now.

Where does the Walmart banner appear? When it does:
  • Click on Start> Run> type in taskmgr> OK.
  • Double click on the frame at the top of the Processes column to sort
  • Find hotfix.exe and click to Highlight >>> see if this appears
  • Click on End Task

I need to know if Think Point is still on the system. I'd also like you to try and run the scans in Normal Mode. As you probably know, all the processes don't run in Safe Mode.

What did you do of the instructions I gave you in my Reply #21? Did you reboot the computer after finishing it? 5 days ago, I listed entries in the HJT log to be checked. Did you do that? Then I followed with Startup Cleanup How much of this did you do- if any?

I "assumed", that the Walmart banner stopped after you restricted the Domains, but now it sound like my assumption was wrong- it was only a 'coincidence', making the 'a out of you and me', as it tends to do!

Please run the Eset scan again. It will require internet connection..

If you still have Combofix on the desktop, I'd like you to rescan with it, after update: Follow this since you already have it:
  • .Close any open browsers.
  • . Double click combofix.exe & follow the prompts to run.
    [o]. If Combofix asks you to update the program, always allow.
  • Before you click on continuing to Scan: Disable the security.
  • Click on Scan
  • A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Regarding spam in the mail-
Isn't sbcglobal.net email. web-based email? A web based email is only as good as the filters from the ISP.
 
Thank you for your reply, Bobbye.
I'm on a friends computer. Couldn't get back Sat as I had a boat parade to attend.

Everything was done up to #5. During that process is when it didn't go as planned. I accidentally clicked the column that turned everything into auto. I then clicked it again hoping to get a return to what it was but of course it wouldn't. The first app. 30 or so said auto and the next app. 10 or 15 said manual and then a few disabled. When I went back to normal mode there was a message that appeared with an apostrophe, a period, a bold dot and another apostrophe. The message said it could not run that set of marks "specified in the registry" I'd X it out and it would come back again.

Normal mode gets the desktop background picture and that's it. Safe mode is very very slow and very little opens.
Now what?
 
Status
Not open for further replies.
Back