Inactive Help with rootkey virus - following the 7 steps

[SCmember]

I have picked up a nasty virus that AVAST is calling rootkey - the error msg is:

MBR:\\.\PhysicalDrive0

I have obviously attempted antivirus scans, bootscans, malware scans to no avail. Coming across your forum and the 7-step Viruses/Spyware/Malware Preliminary Removal Instructions, I am now hoping to find the help I need here.

I have completed STEPS 1, 2 & 3, pasting my GMER log below.



GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-06 11:37:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDS721075KLA330 rev.GK8OA97A
Running: gmer.exe; Driver: C:\DOCUME~1\owner\LOCALS~1\Temp\kxtdapoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA0751BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA0751A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA07A9902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A5FF53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A5FF53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A5FF53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A5FF53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A5FF53B
Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

 

[SCmember]

dds.log and attach.log

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by owner at 11:52:51 on 2011-06-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2656 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Encore\Common\RaUI.exe
C:\Program Files\Encore\Common\RegistryWriter.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\encore~1.lnk - c:\program files\encore\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Free YouTube Download - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: Interfaces\{0D9932C2-E208-431B-A4D8-83AC2A2D47CC} : DhcpNameServer = 192.168.2.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 64.34.212.90 www.google.com
Hosts: 64.34.212.90 www.google.com.au
Hosts: 64.34.212.90 www.google.be
Hosts: 64.34.212.90 www.google.com.br
Hosts: 64.34.212.90 www.google.ca
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\hm48fgqk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60283
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\hm48fgqk.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-5 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-5 307928]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2011-2-19 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-5 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-5 42184]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2010-5-16 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2010-5-16 49152]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\encore\common\RegistryWriter.exe [2010-5-13 75040]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-5-16 246936]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-9 136176]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-13 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-13 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-9 136176]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-5-13 16512]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-5-13 719616]
.
=============== Created Last 30 ================
.
2011-05-18 11:18:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 01:07:27 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-15 01:07:26 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-15 01:07:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-15 01:07:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
.
==================== Find3M ====================
.
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721075KLA330 rev.GK8OA97A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5FF6F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a605a10]; MOV EAX, [0x8a605a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A680AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000068[0x8A6E7508]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A63E940]
\Driver\atapi[0x8A6A8A08] -> IRP_MJ_CREATE -> 0x8A5FF6F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5FF53B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:54:33.95 ===============





.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/13/2010 12:55:18 PM
System Uptime: 6/6/2011 9:35:50 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0G679R
Processor: Intel Pentium III Xeon processor | Socket 775 | 2792/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 699 GiB total, 682.545 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP151: 3/8/2011 5:27:47 PM - Installed Windows KB954550-v5.
RP152: 3/8/2011 5:27:52 PM - Printer Driver Microsoft XPS Document Writer Installed
RP153: 3/8/2011 5:27:59 PM - Printer Driver Microsoft XPS Document Writer Installed
RP154: 3/9/2011 3:00:12 AM - Software Distribution Service 3.0
RP155: 3/10/2011 3:00:12 AM - Software Distribution Service 3.0
RP156: 3/11/2011 3:00:16 AM - Software Distribution Service 3.0
RP157: 3/12/2011 3:29:02 AM - System Checkpoint
RP158: 3/13/2011 4:29:16 AM - System Checkpoint
RP159: 3/14/2011 5:29:16 AM - System Checkpoint
RP160: 3/15/2011 8:40:14 AM - System Checkpoint
RP161: 3/16/2011 3:00:12 AM - Software Distribution Service 3.0
RP162: 3/17/2011 3:01:12 AM - System Checkpoint
RP163: 3/18/2011 3:58:51 AM - System Checkpoint
RP164: 3/19/2011 4:58:55 AM - System Checkpoint
RP165: 3/20/2011 4:59:03 AM - System Checkpoint
RP166: 3/21/2011 5:59:03 AM - System Checkpoint
RP167: 3/22/2011 6:47:03 AM - System Checkpoint
RP168: 3/23/2011 8:18:25 AM - System Checkpoint
RP169: 3/23/2011 2:11:00 PM - Installed Windows Media Player 11
RP170: 3/23/2011 2:11:28 PM - Software Distribution Service 3.0
RP171: 3/24/2011 3:00:12 AM - Software Distribution Service 3.0
RP172: 3/25/2011 3:18:31 AM - System Checkpoint
RP173: 3/26/2011 4:18:31 AM - System Checkpoint
RP174: 3/27/2011 4:35:14 AM - System Checkpoint
RP175: 3/28/2011 5:35:14 AM - System Checkpoint
RP176: 3/29/2011 6:35:14 AM - System Checkpoint
RP177: 3/30/2011 7:33:56 AM - System Checkpoint
RP178: 3/31/2011 9:55:48 AM - System Checkpoint
RP179: 4/1/2011 10:33:56 AM - System Checkpoint
RP180: 4/3/2011 11:04:16 PM - System Checkpoint
RP181: 4/4/2011 11:15:49 PM - System Checkpoint
RP182: 4/5/2011 3:12:54 PM - Installed AVG 2011
RP183: 4/5/2011 3:16:04 PM - Installed AVG 2011
RP184: 4/5/2011 3:16:16 PM - Removed AVG 2011
RP185: 4/5/2011 3:26:52 PM - Installed AVG 2011
RP186: 4/5/2011 3:34:19 PM - Installed AVG 2011
RP187: 4/5/2011 3:34:31 PM - Removed AVG 2011
RP188: 4/5/2011 3:48:06 PM - Removed Symantec AntiVirus
RP189: 4/5/2011 4:24:39 PM - avast! Free Antivirus Setup
RP190: 4/5/2011 5:32:23 PM - Restore Operation
RP191: 4/5/2011 6:55:12 PM - Removed Ask Toolbar.
RP192: 4/5/2011 6:57:58 PM - Removed Skype Toolbars
RP193: 4/5/2011 6:58:23 PM - Removed Symantec AntiVirus
RP194: 4/5/2011 7:13:38 PM - avast! Free Antivirus Setup
RP195: 4/6/2011 7:38:06 PM - System Checkpoint
RP196: 4/7/2011 8:38:03 PM - System Checkpoint
RP197: 4/8/2011 10:56:03 PM - System Checkpoint
RP198: 4/9/2011 11:38:02 PM - System Checkpoint
RP199: 4/11/2011 1:51:03 AM - System Checkpoint
RP200: 4/12/2011 1:56:48 AM - System Checkpoint
RP201: 4/13/2011 1:57:04 AM - System Checkpoint
RP202: 4/14/2011 3:00:13 AM - Software Distribution Service 3.0
RP203: 4/15/2011 3:00:16 AM - Software Distribution Service 3.0
RP204: 4/16/2011 3:23:59 AM - System Checkpoint
RP205: 4/17/2011 4:23:59 AM - System Checkpoint
RP206: 4/18/2011 5:23:59 AM - System Checkpoint
RP207: 4/19/2011 6:38:29 AM - System Checkpoint
RP208: 4/20/2011 6:57:43 AM - System Checkpoint
RP209: 4/21/2011 7:49:18 AM - System Checkpoint
RP210: 4/22/2011 10:02:19 AM - System Checkpoint
RP211: 4/25/2011 9:10:39 AM - System Checkpoint
RP212: 4/26/2011 9:59:17 AM - System Checkpoint
RP213: 4/27/2011 11:02:36 AM - System Checkpoint
RP214: 4/28/2011 3:00:12 AM - Software Distribution Service 3.0
RP215: 4/29/2011 3:58:24 AM - System Checkpoint
RP216: 4/30/2011 4:58:24 AM - System Checkpoint
RP217: 5/1/2011 5:02:15 AM - System Checkpoint
RP218: 5/2/2011 6:02:15 AM - System Checkpoint
RP219: 5/3/2011 7:02:15 AM - System Checkpoint
RP220: 5/3/2011 9:31:29 PM - Removed Skype™ 5.1
RP221: 5/4/2011 9:47:27 PM - System Checkpoint
RP222: 5/5/2011 9:50:42 PM - System Checkpoint
RP223: 5/7/2011 8:47:23 AM - Restore Operation
RP224: 5/8/2011 9:04:30 AM - System Checkpoint
RP225: 5/9/2011 9:13:36 AM - System Checkpoint
RP226: 5/10/2011 9:20:15 AM - System Checkpoint
RP227: 5/11/2011 9:22:59 AM - System Checkpoint
RP228: 5/12/2011 12:57:25 PM - System Checkpoint
RP229: 5/13/2011 1:25:31 PM - System Checkpoint
RP230: 5/14/2011 2:00:49 PM - System Checkpoint
RP231: 5/15/2011 3:00:49 PM - System Checkpoint
RP232: 5/16/2011 4:06:49 PM - System Checkpoint
RP233: 5/17/2011 5:44:15 PM - System Checkpoint
RP234: 5/18/2011 5:46:08 PM - System Checkpoint
RP235: 5/20/2011 9:10:29 AM - System Checkpoint
RP236: 5/21/2011 10:51:01 AM - System Checkpoint
RP237: 5/22/2011 11:43:40 AM - System Checkpoint
RP238: 5/23/2011 12:43:40 PM - System Checkpoint
RP239: 5/24/2011 1:43:40 PM - System Checkpoint
RP240: 5/25/2011 1:43:52 PM - System Checkpoint
RP241: 5/26/2011 2:43:52 PM - System Checkpoint
RP242: 5/27/2011 9:15:07 PM - System Checkpoint
RP243: 5/30/2011 12:05:28 PM - System Checkpoint
RP244: 5/31/2011 1:03:22 PM - System Checkpoint
RP245: 6/1/2011 2:37:24 PM - System Checkpoint
RP246: 6/2/2011 4:48:56 PM - System Checkpoint
RP247: 6/3/2011 5:24:56 PM - System Checkpoint
RP248: 6/4/2011 7:48:56 PM - System Checkpoint
RP249: 6/5/2011 8:24:56 PM - System Checkpoint
.
==== Hosts File Hijack ======================
.
Hosts: 64.34.212.90 www.google.com
Hosts: 64.34.212.90 www.google.com.au
Hosts: 64.34.212.90 www.google.be
Hosts: 64.34.212.90 www.google.com.br
Hosts: 64.34.212.90 www.google.ca
Hosts: 64.34.212.90 www.google.ch
Hosts: 64.34.212.90 www.google.de
Hosts: 64.34.212.90 www.google.dk
Hosts: 64.34.212.90 www.google.fr
Hosts: 64.34.212.90 www.google.ie
Hosts: 64.34.212.90 www.google.it
Hosts: 64.34.212.90 www.google.co.jp
Hosts: 64.34.212.90 www.google.nl
Hosts: 64.34.212.90 www.google.no
Hosts: 64.34.212.90 www.google.co.nz
Hosts: 64.34.212.90 www.google.pl
Hosts: 64.34.212.90 www.google.se
Hosts: 64.34.212.90 www.google.co.uk
Hosts: 64.34.212.90 www.google.co.za
Hosts: 64.34.212.90 www.bing.com
Hosts: 64.34.212.90 search.yahoo.com
Hosts: 64.34.212.90 uk.search.yahoo.com
Hosts: 64.34.212.90 ca.search.yahoo.com
Hosts: 64.34.212.90 de.search.yahoo.com
Hosts: 64.34.212.90 fr.search.yahoo.com
Hosts: 64.34.212.90 au.search.yahoo.com
Hosts: 64.34.212.90 www.google-analytics.com
.
==== Installed Programs ======================
.
a-squared Free 4.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
avast! Free Antivirus
Belkin Daily DJ
Belkin Music Labeler
Belkin Setup and Router Monitor
Belkin USB Print and Storage Center
CCleaner
CDDRV_Installer
CleanUp!
Conexant D850 56K V.9x DFVc Modem
Encore 802.11n Wireless Adapter ENUWI-N3
Fotosizer 1.31
Free Studio version 5.0.6
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 23
KhalSetup
KONICA MINOLTA magicolor 2430DL
LiveUpdate 3.1 (Symantec Corporation)
Logitech Desktop Messenger
Logitech SetPoint
Logitech Vid HD
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.17)
Music Mover
Nero OEM
PowerDVD
QuickBooks Pro Edition 2004
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
6/6/2011 7:29:52 AM, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: Insufficient system resources exist to complete the requested service. .
6/1/2011 6:52:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0024E8128A7D. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
6/1/2011 6:52:24 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0024E8128A7D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/1/2011 6:28:12 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0024E8128A7D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
5/30/2011 7:29:04 PM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================

 

[SCmember]

malware log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6701

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2011 11:21:33 AM
mbam-log-2011-06-06 (11-21-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 195053
Time elapsed: 16 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

Welcome to TechSpot! You do have a rootkit and the host files have been highjacked.

Please download MBRCheck and save to your desktop

• Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  [o] Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  [o] Found non-standard or infected MBR.
  [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Paste this log to your next message.

==========================================
Please print the following before you start:
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

========================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please follow the order of these scans.
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[SCmember]

Thanks Bobbye, starting the scans now. Will paste logs when completed.

 

[SCmember]

MBR Check Log

Am posting this log and will then proceed with DNS flush. Be back shortly.




MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x8A68D000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AA000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xB9DEE000 Mup.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB973A000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB9726000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB96E9000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA380000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB96C5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB969D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9669000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB9646000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9547000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB94A0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3C0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA3C8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA74A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB6E9A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D4F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xAF63E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA188000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA198000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xAF62D000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA378000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA390000 \SystemRoot\system32\DRIVERS\raspti.sys
0xAF5FD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB6C97000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB6C77000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xAF59F000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D53000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xAF564000 \SystemRoot\system32\DRIVERS\sxuptp.sys
0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB168C000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB82E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9EF3B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0x9EF17000 \SystemRoot\system32\drivers\portcls.sys
0xB82D2000 \SystemRoot\system32\drivers\drmk.sys
0xBA5E8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7B3000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5EA000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA428000 \SystemRoot\System32\drivers\vga.sys
0xBA5F2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA438000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA458000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB046F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9EEE4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9EE8B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB82B2000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB82A2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9EE63000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA3D0000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x9EE41000 \SystemRoot\System32\drivers\afd.sys
0xB8292000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9EE16000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9EDA6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8282000 \SystemRoot\System32\Drivers\Fips.SYS
0x9ED5C000 \SystemRoot\System32\Drivers\aswSP.SYS
0x9ECEC000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xB3711000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA59C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB6E7A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB6E6A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA400000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA55C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB1690000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x9E67C000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0x9E661000 \SystemRoot\system32\DRIVERS\lvpopflt.sys
0xB6E5A000 \SystemRoot\system32\drivers\usbaudio.sys
0x9E621000 \SystemRoot\system32\DRIVERS\lvrs.sys
0x9E609000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA61C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA580000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA490000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA70F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF2E8000 \SystemRoot\System32\igxpdx32.DLL
0xBF691000 \SystemRoot\System32\ATMFD.DLL
0x9E5ED000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB6C87000 \SystemRoot\system32\DRIVERS\AegisP.sys
0x9E405000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9E3C2000 \SystemRoot\System32\Drivers\aswMon2.SYS
0x9E245000 \SystemRoot\system32\drivers\wdmaud.sys
0x9E312000 \SystemRoot\system32\drivers\sysaudio.sys
0x9DCC8000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9D7B4000 \SystemRoot\system32\DRIVERS\srv.sys
0x9D8CD000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB36E9000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0x9D51B000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA468000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x9CD8A000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 52):
0 System Idle Process
4 System
684 C:\WINDOWS\system32\smss.exe
748 csrss.exe
772 C:\WINDOWS\system32\winlogon.exe
820 C:\WINDOWS\system32\services.exe
832 C:\WINDOWS\system32\lsass.exe
1012 C:\WINDOWS\system32\svchost.exe
1088 svchost.exe
1188 C:\WINDOWS\system32\svchost.exe
520 svchost.exe
700 svchost.exe
1048 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1580 C:\WINDOWS\system32\spoolsv.exe
2032 C:\WINDOWS\explorer.exe
600 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
664 C:\WINDOWS\system32\igfxtray.exe
744 C:\WINDOWS\system32\hkcmd.exe
1300 C:\WINDOWS\system32\igfxpers.exe
1408 C:\WINDOWS\RTHDCPL.EXE
1372 C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
1404 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1464 C:\WINDOWS\system32\igfxsrvc.exe
1556 C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
1600 C:\Program Files\AVAST Software\Avast\AvastUI.exe
1776 C:\WINDOWS\system32\ctfmon.exe
1784 C:\Program Files\Logitech\Vid HD\Vid.exe
1916 C:\Program Files\Encore\Common\RaUI.exe
1872 C:\Program Files\Belkin\Belkin USB Print and Storage Center\Connect.exe
1896 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
2000 C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
1748 C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
1940 C:\Program Files\Logitech\SetPoint\SetPoint.exe
516 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
2240 svchost.exe
2280 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
2428 C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
2836 C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
3040 C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
3492 C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
3620 C:\Program Files\Google\Update\GoogleUpdate.exe
3692 C:\Program Files\Java\jre6\bin\jqs.exe
4012 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
452 C:\Program Files\Encore\Common\RegistryWriter.exe
2084 C:\WINDOWS\system32\svchost.exe
2196 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3668 C:\WINDOWS\system32\svchost.exe
3504 C:\WINDOWS\system32\wscntfy.exe
3932 C:\Program Files\Internet Explorer\iexplore.exe
2788 C:\Program Files\Internet Explorer\iexplore.exe
456 C:\Program Files\Internet Explorer\iexplore.exe
1728 C:\Documents and Settings\owner\Local Settings\Temporary Internet Files\Content.IE5\VDV8O640\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHDS721075KLA330, Rev: GK8OA97A

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[SCmember]

Combofix log

ComboFix 11-06-03.02 - owner 06/06/2011 13:34:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2949 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\owner\Application Data\Best Malware Protection
c:\documents and settings\owner\Application Data\Best Malware Protection\cookies.sqlite
c:\documents and settings\owner\Application Data\PriceGong
c:\documents and settings\owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\J.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\owner\Application Data\PriceGong\Data\z.xml
c:\documents and settings\owner\Recent\ANTIGEN.tmp
c:\documents and settings\owner\Recent\CLSV.tmp
c:\documents and settings\owner\Recent\eb.tmp
c:\documents and settings\owner\Recent\PE.tmp
c:\documents and settings\owner\Recent\runddlkey.tmp
c:\documents and settings\owner\Recent\SM.tmp
c:\documents and settings\owner\Recent\tjd.tmp
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\pthreadVC.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Legacy_NPF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-05-19 03:37 . 2011-05-19 03:37 -------- d-----w- c:\program files\QuickTime
2011-05-18 11:18 . 2011-05-18 11:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-17 16:55 . 2011-05-17 16:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-05-15 01:07 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-15 01:07 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-15 01:07 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-15 01:07 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-05-08 16:11 . 2011-05-08 16:11 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2011-04-05 23:13 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-04-05 23:13 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-04-05 23:13 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-04-05 23:14 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-04-05 23:13 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-04-05 23:13 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-04-05 23:13 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-04-05 23:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-04-05 23:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-04-05 23:14 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-19 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Encore Wireless Utility.lnk - c:\program files\Encore\Common\RaUI.exe [2010-5-13 1662976]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2011-1-4 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-1-4 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-6 724992]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/5/2011 7:13 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2011 7:14 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2011 7:14 PM 19544]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [5/16/2010 2:49 PM 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [5/16/2010 2:49 PM 49152]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [5/16/2010 2:49 PM 246936]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/13/2010 1:19 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc243d9c02d2dc.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
mStart Page = hxxp://www.yahoo.com
IE: Free YouTube Download - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\hm48fgqk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60283
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-itlntfy - itlnfw32.dll
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-06 13:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721075KLA330 rev.GK8OA97A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A64A53B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3088)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Encore\Common\RegistryWriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-06-06 13:50:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-06 17:49
.
Pre-Run: 732,786,802,688 bytes free
Post-Run: 733,268,389,888 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - DFE132D3FB236239E825606D92E5D88B

 

[Bobbye]

Questions:
Are you using PeerBlock?
Have you done the DNS flush and router reset?
Did you assign this in Firefox: FF - prefs.js: network.proxy.http_port - 60283
=====================================

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
====================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[SCmember]

Questions:
Are you using PeerBlock?
It is not something I have done, I don't even know what it is.

Have you done the DNS flush and router reset?
Yes

Did you assign this in Firefox: FF - prefs.js: network.proxy.http_port - 60283
No
=====================================

Will now continue with your next set of instructions and post logs when completed.

 

[SCmember]

Next Set of Logs

ESET LOG

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\43\775a696b-4b4ba952 Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\11\6fb428cb-67f1abfe Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\14\7bea5a4e-3ce9191f Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\16\4ea56e90-2d74d52a Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\28\72b7c5c-60c70e52 Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\31\1ef03c5f-416d6f4f Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\31\2f2c695f-65e98e9d Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\48\7bf72d70-6537fbb2 Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\56\63aaf5b8-63e9f8ff Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\9\7be78a09-676b5836 probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan
C:\Documents and Settings\owner\Desktop\fsSetup131.exe Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{BE673C43-9957-4968-A842-5C6097356DC5}\RP190\A0035045.mof Win32/RogueAV.A trojan



HIJACKTHIS LOG


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:51:21 PM, on 6/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Log with Word Wrap on has been deleted by Bobbye

New log to be posted.

 

[Bobbye]

For the Eset entries: Most are in the Java cache, so you will empty it:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
=============================================
There are some entries that need to be removed in HijackThis. But I would like you to redo the log- I can't read it in the context of Word Wrap:
When you open Notepad> click on Format> Uncheck Word Wrap. Now the log will be readable. For instance:
This log:

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} -

C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\GAPlugProtocol-8876480.dll

The same entry with Word Wrap off:

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} -C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Please past redone HJT log in next reply.

 

[SCmember]

Hi Jack This Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:51:21 PM, on 6/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Encore\Common\RegistryWriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Encore\Common\RaUI.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2269050
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Encore Wireless Utility.lnk = C:\Program Files\Encore\Common\RaUI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Belkin Local Backup Service - Unknown owner - C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
O23 - Service: Belkin Network USB Helper - Unknown owner - C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\Encore\Common\RegistryWriter.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8425 bytes

 

[SCmember]

Java cache

I have completed clearing the java cache.

 

[Bobbye]

Reset your browser proxies

• Open Firefox, click on "Tools" then "Options" and then on "Advanced".
• Click on the "Network" tab, and then on the "Settings" button.
• Please make sure that the "No Proxy" option is selected.

=======================================
Please run this Custom Script:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
C:\Documents and Settings\owner\Desktop\fsSetup131.exe
DDS::
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
Driver::
cerc6

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
========================================
Update the following. Then uninstall all outdated versions in Add/Remove Programs.
1. Java Updates
Note: You do not need to put a separate Java Extension on Firefox
Please open FF> Extensions> Remove Jave v6u17 and v6u23.
2. Adobe Reader
===========================================
I noticed several Belkin entires loading- just want to make sure you're aware of them:
Digido Platform

c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe

It appears these are used to enable a person who travels to use the system.

It is puzzling because you are also using Description: Encore Wireless Utility
=======================================
You have a process left over form Norton/Symantec:
Click on Start> Run> type in services.msc> enter> Double click on LiveUpdate> Change the Startup type to Disabled> Stop the Service.
Then click on Start> Run> type in cmd> enter> at the blinking C prompt type in the following

sc delete LiveUpdate

You should get this message:
[SC] DeleteService SUCCESS
Type Exit to close the command prompt
Reboot the computer.

 

[SCmember]

Bobbye...

A couple of things from your last post.

• You mentioned something about BELKIN entries loading. My wireless router is a BELKIN, but I have never installed or activated any type of traveling ability. So I can't say if the DIGIDO PLATFORM is something that should be there or not.
  
• Al

so, again - I am not familiar with ENCORE WIRELESS UTILITY, so am not sure if that is something that should be there or not either.

Completed all the steps you asked for from last post and the new CF log is pasted below.

I really do appreciate your help with this mess.


ComboFix 11-06-08.04 - owner 06/09/2011 8:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2958 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\owner\Desktop\fsSetup131.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\owner\Desktop\fsSetup131.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cerc6
.
.
((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
.
.
2011-06-07 18:11 . 2011-06-07 18:11 -------- d-----w- c:\program files\ESET
2011-05-19 03:37 . 2011-05-19 03:37 -------- d-----w- c:\program files\QuickTime
2011-05-18 11:18 . 2011-06-08 11:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-17 16:55 . 2011-05-17 16:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-05-15 01:07 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-15 01:07 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-15 01:07 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-15 01:07 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2011-04-05 23:13 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-04-05 23:13 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-04-05 23:13 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-04-05 23:14 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-04-05 23:13 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-04-05 23:13 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-04-05 23:13 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-04-05 23:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-04-05 23:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-04-05 23:14 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-06_17.46.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-09 12:10 . 2011-06-09 12:10 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
- 2011-06-06 17:45 . 2009-10-07 06:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2011-06-09 12:10 . 2009-10-07 06:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2011-06-08 11:46 . 2011-06-08 11:46 238040 c:\windows\system32\Macromed\Flash\FlashUtil10s_Plugin.exe
+ 2011-06-08 11:46 . 2011-06-08 11:46 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2010-01-27 01:07 . 2011-05-18 11:18 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-19 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Encore Wireless Utility.lnk - c:\program files\Encore\Common\RaUI.exe [2010-5-13 1662976]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2011-1-4 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-1-4 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-6 724992]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/5/2011 7:13 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2011 7:14 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2011 7:14 PM 19544]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [5/16/2010 2:49 PM 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [5/16/2010 2:49 PM 49152]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [5/16/2010 2:49 PM 246936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/13/2010 1:19 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/9/2011 6:46 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc243d9c02d2dc.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-09 22:46]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
IE: Free YouTube Download - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\hm48fgqk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60283
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DVDVideoSoftTB Community Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-09 08:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721075KLA330 rev.GK8OA97A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A62453B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3912)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Encore\Common\RegistryWriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\RTHDCPL.EXE
c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-06-09 08:14:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-09 12:14
ComboFix2.txt 2011-06-06 17:50
.
Pre-Run: 733,349,683,200 bytes free
Post-Run: 733,401,980,928 bytes free
.
- - End Of File - - CDB97FAA97110AE49600B732D6E6C33B

 

[Bobbye]

Regarding the Belkin and the Encore entries. I don't know how your system is set up or who set it up. As far as I could determine, the extra Belkin entries have to be intentionally installed. There is a setup file fore the Belkin but all of the other processes are extra. And the The DigiDo™ Platform is used by Time Warner Cable, Cox, Bresnan, Charter, ubee and Belkin. It is a part of a secure home network and may be used by the ISP.

And the Encore Wireless Utility may be the wireless card or required by the modem.
=====================================
Questions:
1. Who is your ISP?
2. Do you have multiple users on this computer.
3. Are you using a wireless print server?
4. Was the computer set up on the Peer 1 Network?
===================================
Combofix removed an entry for Best Malware Protection\cookies.sqlite
cookies.sqlite is where Firefox stores Cookies. This means that your system wasn't protected and this rogue program has left a Tracking Cookies on the system.

Best Malware Protection is a fake antivirus program that tries to trick the user to buy the full version of the program by using fake scan results. It installs itself into the computer without confirmation of the user unless the user set the UAC level to the highest level.

Best Malware Protection is advertised mostly through the use of bogus online scanners and malicious websites. This means that the security is lacking.

Please do the following:>>>> Note: If you have multiple accounts on the system, do this on each of the accounts:

1. Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-ons for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources: They also prevent the ads and banners themselves:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
==========================================
Regarding Price Gong:> It's a browser addon for comparative shopping. The program is adware, and it will display annoying pop-up alerts and other false threats in the browser.

PriceGong will launch automatically whenever a user visits a shopping site like Amazon.com or Sears.

Standalone application removal
In case you have installed PriceGong as a standalone application, it can easily be removed using the "Add/Remove Programs" follows:

1. 
   On Windows XP>
   1. Go to the Start menu
   2. Select Settings
   3. Select Control Panel
   4. Select Add or Remove Programs
   5. Select PriceGong
   6. Click Change/Remove
   7. Follow on-screen prompts to remove the PriceGong application
   • 
     The use Windows Explorer (Windows key + E) to go to My Computer> Double click on Local Drive(C)> Programs> look for the Price Gong folder and do a Right click> Delete.
     =======================================
     Reboot the computer. Run the following.
     =======================================
     
     
     
     SuperAntiSpyware Home Edition Free Version
     Important to note the line to check the entries for removal.
     • Please download SuperAntiSpyware from HERE
     • Launch SuperAntiSpyware and click on 'Check for updates'.
     • Wait for the updates to be installed
     • On the main screen click on 'Scan your computer'.
     • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
     • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
     • Make sure everything found has a checkmark next to it,then press 'Next'.
     • Click on 'Finish' when you've done.
     It's possible that the program will ask you to reboot in order to delete some files.
     
     Obtain the SuperAntiSpyware log as follows:
     • Click on 'Preferences'.
     • Click on the 'Statistics/Logs' tab.
     • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
     It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply

 

[SCmember]

Super AntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/13/2011 at 08:14 AM

Application Version : 4.54.1000

Core Rules Database Version : 7257
Trace Rules Database Version: 5069

Scan type : Complete Scan
Total Scan Time : 00:20:45

Memory items scanned : 588
Memory threats detected : 0
Registry items scanned : 6379
Registry threats detected : 0
File items scanned : 20709
File threats detected : 470

Adware.Tracking Cookie
C:\Documents and Settings\owner\Cookies\owner@content.yieldmanager[1].txt
C:\Documents and Settings\owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\owner\Cookies\owner@mediabrandsww[1].txt
C:\Documents and Settings\owner\Cookies\owner@adxpose[1].txt
C:\Documents and Settings\owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\owner\Cookies\owner@statcounter[1].txt
C:\Documents and Settings\owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\owner\Cookies\owner@dc.tremormedia[1].txt
C:\Documents and Settings\owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\owner\Cookies\owner@eset.122.2o7[1].txt
C:\Documents and Settings\owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\owner\Cookies\owner@pointroll[1].txt
C:\Documents and Settings\owner\Cookies\owner@content.yieldmanager[3].txt
C:\Documents and Settings\owner\Cookies\owner@insightexpressai[2].txt
C:\Documents and Settings\owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\owner\Cookies\owner@www.burstnet[1].txt
C:\Documents and Settings\owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\owner\Cookies\owner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\owner\Cookies\owner@citi.bridgetrack[2].txt
C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\owner\Cookies\owner@invitemedia[2].txt
crackle.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
media.heavy.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
media1.break.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
s0.2mdn.net [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\K5JTUGV7 ]
C:\Documents and Settings\LocalService\Cookies\system@kontera[1].txt
C:\Documents and Settings\LocalService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@clicksaudit[3].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.lycos[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.pointroll[3].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\LocalService\Cookies\system@xml.trafficengine[2].txt
C:\Documents and Settings\LocalService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@optimize.indieclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\LocalService\Cookies\system@view.atdmt[1].txt
C:\Documents and Settings\LocalService\Cookies\system@lucidmedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@indieclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@statcounter[1].txt
C:\Documents and Settings\LocalService\Cookies\system@2o7[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ru4[2].txt
C:\Documents and Settings\LocalService\Cookies\system@p409t1s4937430.kronos.bravenetmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@search.clicksclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adtech[1].txt
C:\Documents and Settings\LocalService\Cookies\system@interclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@advertnation[2].txt
C:\Documents and Settings\LocalService\Cookies\system@stat.dealtime[1].txt
C:\Documents and Settings\LocalService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\LocalService\Cookies\system@advertise[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ru4[1].txt
C:\Documents and Settings\LocalService\Cookies\system@burstbeacon[1].txt
C:\Documents and Settings\LocalService\Cookies\system@technoratimedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\LocalService\Cookies\system@viewablemedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@crackle[1].txt
C:\Documents and Settings\LocalService\Cookies\system@burstnet[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.blogtalkradio[2].txt
C:\Documents and Settings\LocalService\Cookies\system@eyewonder[2].txt
C:\Documents and Settings\LocalService\Cookies\system@media6degrees[3].txt
C:\Documents and Settings\LocalService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\LocalService\Cookies\system@mediaplex[3].txt
C:\Documents and Settings\LocalService\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.mediaquantics[1].txt
C:\Documents and Settings\LocalService\Cookies\system@insightexpressai[2].txt
C:\Documents and Settings\LocalService\Cookies\system@search.clickwhale[2].txt
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\LocalService\Cookies\system@search.clickcheer[1].txt
C:\Documents and Settings\LocalService\Cookies\system@amtk-media[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.pubmatic[1].txt
C:\Documents and Settings\LocalService\Cookies\system@r1-ads.ace.advertising[2].txt
C:\Documents and Settings\LocalService\Cookies\system@in.getclicky[1].txt
C:\Documents and Settings\LocalService\Cookies\system@legolas-media[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[3].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@search.clicksthis[2].txt
C:\Documents and Settings\LocalService\Cookies\system@search.findsmy[1].txt
C:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\LocalService\Cookies\system@mm.chitika[2].txt
C:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\LocalService\Cookies\system@www.burstbeacon[2].txt
C:\Documents and Settings\LocalService\Cookies\system@adserv.rotator.hadj7.adjuggler[1].txt
C:\Documents and Settings\LocalService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@zedo[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.undertone[2].txt
C:\Documents and Settings\LocalService\Cookies\system@xm.xtendmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@search.clickbowl[1].txt
C:\Documents and Settings\LocalService\Cookies\system@pro-market[2].txt
C:\Documents and Settings\LocalService\Cookies\system@findology[1].txt
C:\Documents and Settings\LocalService\Cookies\system@track.clickpayz[2].txt
C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\LocalService\Cookies\system@www.burstnet[1].txt
C:\Documents and Settings\LocalService\Cookies\system@dealtime[1].txt
C:\Documents and Settings\LocalService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.crackle[2].txt
C:\Documents and Settings\LocalService\Cookies\system@cdn1.trafficmp[2].txt
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[2].txt
C:\Documents and Settings\LocalService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\LocalService\Cookies\system@revsci[2].txt
C:\Documents and Settings\LocalService\Cookies\system@network.realmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.wsod[2].txt
C:\Documents and Settings\LocalService\Cookies\system@eas.apm.emediate[1].txt
C:\Documents and Settings\LocalService\Cookies\system@specificclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@clicksaudit[1].txt
C:\Documents and Settings\LocalService\Cookies\system@advertising[3].txt
C:\Documents and Settings\LocalService\Cookies\system@advertising[1].txt
C:\Documents and Settings\LocalService\Cookies\system@search.hippofind[1].txt
C:\Documents and Settings\LocalService\Cookies\system@qa.adserver.adbull[2].txt
C:\Documents and Settings\LocalService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\LocalService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\LocalService\Cookies\system@link.mercent[1].txt
C:\Documents and Settings\LocalService\Cookies\system@mediabrandsww[2].txt
C:\Documents and Settings\LocalService\Cookies\system@qa.adserver.adbull[3].txt
C:\Documents and Settings\LocalService\Cookies\system@collective-media[1].txt
adimages.scrippsnetworks.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
convoad.technoratimedia.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
media.kyte.tv [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
media.onsugar.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
stat.easydate.biz [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\H3QGCSTD ]
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media.adfrontiers[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@media.adfrontiers[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media.adfrontiers[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@adlegend[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@educationcom.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertnation[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertnation[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.toseeking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@technoratimedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicks.fastseekonline[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clickwhale[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@amtk-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.321findit[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksthis[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.321findit[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserv.rotator.hadj7.adjuggler[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserv.rotator.hadj7.adjuggler[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@lfstmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@twctsg.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicks.search312[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.googleadservices[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@nextag[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@server.cpmstar[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@statse.webtrendslive[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@gmglobalgm.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[1].txt
a.ads2.msads.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
ads2.msads.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
b.ads2.msads.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
cdn1.static.pornhub.phncdn.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
cdn4.specificclick.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
crackle.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
ia.media-imdb.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
media.mtvnservices.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
media.scanscout.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
media.wcnc.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
media.wfaa.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
media1.break.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
s0.2mdn.net [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
www.naiadsystems.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
www.pornhub.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
www.royalmediamarketing.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]
www.soundclick.com [ C:\Documents and Settings\owner\Application Data\Macromedia\Flash Player\#SharedObjects\GZHDGVM7 ]

Adware.SelectRebates[SAH]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BE673C43-9957-4968-A842-5C6097356DC5}\RP191\A0035209.DLL

 

[Bobbye]

SAS found 470 Tracking Cookies. That tell me 3 things.

1. Your system is not set to block 3rd party Cookies.
2. You aren't doing regular maintenance on the system.
3. If you are going to visit sites like the 'pronhub', you are going to get malware.

These have not been addressed:

Questions:
1. Who is your ISP?
2. Do you have multiple users on this computer?
3. Are you using a wireless print server?
4. Was the computer set up on the Peer 1 Network?

====================================
Please run the following: Security Check

Download Security Check by screen317 from HERE or HERE .

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

====================================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

 

[Bobbye]

Due to inactivity, this thread is being closed.