# Virus blocking accress to internet



## Cybercookie (Aug 9, 2010)

My computer was recently infected by malware or a virus of some kind.  It said Antivirmore but there may be more than that.  At this time I can`t access the Internet but I could initially in Safe Mode.  Before I can deal with anything else I need to re-connect to the Internet.  The proxy server is unchecked.  I don`t know what else to try.  Any help would be appreciated.

The computer is a Dell Precision M90 Laptop with Intel Core 2 T7200 @2.00GHz CPU with 2.00 GB of RAM running Win XP SP3.


----------



## johnb35 (Aug 9, 2010)

Since I'm on my phone and can't post links, if you can find one of my posts about downloading and running rkill.scr or combofix, combofix should kill the process that is stopping you from getting internet access.  If you have a 64bit OS, you can't run combofix. This is when you run rkill.scr and then try running malwarebytes to remove the infection. You would need to use a usb flash drive or cd to copy the files to and then run them on the infected machine.


----------



## johnb35 (Aug 9, 2010)

Now that I'm home and able to post links.


Download this file to a usb flash drive or burn it to a cd and transfer it to the infected computer and run it.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## Cybercookie (Aug 18, 2010)

Thank you for your suggestions.  I followed them and they have helped.  In Safe Mode I can use the Internet but a redirect problem remains especially if I use a search engine.  Typing directly into the address bar seems to work.  In normal mode the Internet is still blocked.  I have tried both Explorer and Firefox.  In Firefox I get a note saying proxy server is refusing connections.

Some downloads work in Safe Mode but others don`t.  I can`t get the latest updates for Windows for example.  I downloaded several games and installed them without difficulty.  Attempts to download and install 2 different Anti-Viral programs failed.  ComboFix said I did not have the "Microsoft Windows Recovery Console".  It then claimed to download it successfully.  

Early in the ComboFix scan a box appeared titled "mbr.cfxxe".  This said mbr.cfxxe encountered a problem and needs to close.  This closed but the scan went on.

The Registry seems to have been deleted along with all backups.  This computer was recently bought on Ebay.  I have no disk or external backup of any kind.  It was OK when I got it.  

Here are the logs you requested.  I had run 

ComboFix 10-08-16.04 - Administrator 08/17/2010  14:40:42.1.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1788 [GMT -4:00]
Running from: E:\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\avdrn.dat
c:\windows\system32\fjhdyfhsn.bat
c:\windows\system32\st325602.dll

.
(((((((((((((((((((((((((   Files Created from 2010-07-17 to 2010-08-17  )))))))))))))))))))))))))))))))
.

2010-08-08 23:08 . 2010-08-08 23:08    --------    d--h--w-    c:\windows\system32\GroupPolicy
2010-08-08 21:43 . 2010-08-08 21:43    12328    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-08 21:02 . 2010-08-08 21:02    --------    d-----w-    c:\documents and settings\Administrator\Application Data\InstallShield
2010-08-08 06:22 . 2010-08-08 06:22    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-20 00:27 . 2010-07-20 00:28    43488992    ----a-w-    c:\documents and settings\All Users\Application Data\Systweak\Advanced System Protector\Antispyware_Setup_7_19_2010.exe
2010-07-19 22:11 . 2010-07-19 22:11    --------    d-----w-    c:\program files\ESET
2010-07-19 21:16 . 2009-05-07 07:04    157712    ----a-w-    c:\windows\system32\drivers\tmcomm.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 21:43 . 2010-07-08 23:32    1324    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-08-08 06:22 . 2010-08-08 06:22    12    ----a-w-    c:\windows\system32\config\systemprofile\Application Data\ranmiq.dat
2010-08-03 21:42 . 2010-06-29 00:16    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-08-03 21:38 . 2010-07-17 00:27    --------    d-----w-    c:\program files\SpywareBlaster
2010-07-20 00:16 . 2010-07-17 20:25    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-07-20 00:16 . 2010-07-17 20:25    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Spyware Terminator
2010-07-20 00:15 . 2010-07-17 20:24    --------    d-----w-    c:\program files\Spyware Terminator
2010-07-20 00:04 . 2010-07-17 18:19    --------    d-----w-    c:\program files\a-squared Free
2010-07-19 23:05 . 2010-07-17 00:50    63488    ----a-w-    c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-19 23:05 . 2010-07-17 00:50    117760    ----a-w-    c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-19 22:24 . 2010-07-17 23:56    --------    d-----w-    c:\program files\PC-Clean
2010-07-18 00:45 . 2010-07-17 20:04    --------    d-----w-    c:\documents and settings\All Users\Application Data\IObit
2010-07-18 00:45 . 2010-07-17 20:04    --------    d-----w-    c:\program files\IObit
2010-07-18 00:42 . 2010-07-17 23:56    --------    d-----w-    c:\program files\NLIA
2010-07-18 00:41 . 2010-07-18 00:41    --------    d-----w-    c:\program files\Spyware Vaccine
2010-07-18 00:12 . 2010-07-18 00:11    43488992    ----a-w-    c:\documents and settings\All Users\Application Data\Systweak\Advanced System Protector\Antispyware_Setup_7_17_2010.exe
2010-07-18 00:10 . 2010-07-18 00:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\Systweak
2010-07-18 00:10 . 2010-07-18 00:10    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Systweak
2010-07-18 00:09 . 2010-07-18 00:09    --------    d-----w-    c:\program files\Systweak
2010-07-17 23:56 . 2009-11-12 19:28    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-07-17 21:12 . 2010-07-17 21:12    --------    d-----w-    c:\documents and settings\All Users\Application Data\Norton
2010-07-17 20:42 . 2010-07-17 20:42    23552    ----a-w-    c:\windows\system32\drivers\phooks.sys
2010-07-17 20:35 . 2010-07-17 20:35    --------    d-----w-    c:\documents and settings\Administrator\Application Data\WinPatrol
2010-07-17 20:35 . 2010-07-17 20:35    --------    d-----w-    c:\program files\BillP Studios
2010-07-17 20:25 . 2010-07-17 20:25    6144    ----a-w-    c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2010-07-17 20:25 . 2010-07-17 20:25    5632    ----a-w-    c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2010-07-17 20:25 . 2010-07-17 20:25    142592    ----a-w-    c:\windows\system32\drivers\sp_rsdrv2.sys
2010-07-17 00:50 . 2010-07-17 00:50    52224    ----a-w-    c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-17 00:49 . 2010-07-17 00:49    --------    d-----w-    c:\program files\SUPERAntiSpyware
2010-07-17 00:49 . 2010-07-17 00:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-17 00:49 . 2010-07-17 00:49    --------    d-----w-    c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-17 00:43 . 2010-07-17 00:43    --------    d-----w-    c:\program files\Trend Micro
2010-07-17 00:31 . 2010-07-17 00:31    0    ----a-w-    c:\windows\nsreg.dat
2010-07-16 23:33 . 2010-07-16 23:30    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-07-16 23:32 . 2010-07-16 23:30    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-16 23:24 . 2010-07-16 23:24    --------    dc----w-    c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-14 00:41 . 2010-07-14 00:24    --------    d-----w-    c:\program files\WinUtilities
2010-07-13 19:18 . 2010-07-13 19:18    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-13 19:18 . 2010-07-13 19:18    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-07-13 19:18 . 2010-07-13 19:18    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-08 23:01 . 2010-07-08 23:01    120    ----a-w-    c:\windows\Onefewiy.dat
2010-07-08 23:01 . 2010-07-08 23:01    0    ----a-w-    c:\windows\Fjayakiwikis.bin
2010-07-04 16:29 . 2010-07-04 16:29    --------    d-----w-    c:\program files\MSN Toolbar Installer
2010-07-04 16:29 . 2010-07-04 16:29    --------    d-----w-    c:\program files\MSN Toolbar
2010-07-04 16:29 . 2010-07-04 16:29    --------    d-----w-    c:\program files\Microsoft
2010-07-04 16:29 . 2010-07-04 16:29    --------    d-----w-    c:\documents and settings\All Users\Application Data\UAB
2010-07-04 16:28 . 2010-07-04 16:28    --------    d-----w-    c:\program files\Driver Whiz
2010-07-01 17:26 . 2010-07-01 17:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\nView_Profiles
2010-06-30 00:52 . 2010-06-30 00:52    --------    d-----w-    c:\documents and settings\All Users\Application Data\Driver Medic
2010-06-29 22:38 . 2010-06-29 22:38    --------    d-----w-    c:\documents and settings\All Users\Application Data\Driver Whiz
2010-06-29 00:03 . 2010-06-29 00:03    --------    d-----w-    c:\program files\Common Files\ScanSoft Shared
2010-06-29 00:03 . 2010-06-29 00:03    --------    d-----w-    c:\program files\Common Files\Nuance
2010-06-29 00:03 . 2010-06-29 00:03    --------    d-----w-    c:\documents and settings\All Users\Application Data\ScanSoft
2010-06-29 00:00 . 2010-06-29 00:00    --------    d-----w-    c:\program files\Nuance
2010-06-29 00:00 . 2010-06-29 00:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Nuance
2010-06-28 23:42 . 2010-06-28 23:42    --------    d-----w-    c:\documents and settings\All Users\Application Data\CyberLink
2010-06-07 01:14 . 2010-06-07 01:14    56    ---ha-w-    c:\windows\system32\ezsidmv.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-29 2403568]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-07-17 3037696]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-07-20 1228800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-12 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-19 202256]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"NliaClient"="c:\program files\NLIA\Netpia.exe" [2006-07-21 49152]
"PC-Clean"="c:\program files\PC-Clean\PC-Clean.exe" [2006-03-31 1839104]
"Advanced Spyware Remover"="c:\program files\IObit\Advanced Spyware Remover\ASRtray.exe" [2009-12-15 1213952]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"Advanced System Protector"="c:\program files\Systweak\Advanced System Protector\ASP.exe" [2009-11-03 16347368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0sasnative32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [7/17/2010 4:42 PM 23552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/17/2010 2:19 PM 1872320]
S2 ASRservice;ASRservice;c:\program files\IObit\Advanced Spyware Remover\ASRsrv.exe [7/17/2010 8:48 PM 697104]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/17/2010 8:50 PM 312152]
.
Contents of the 'Scheduled Tasks' folder

2010-08-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1078081533-651377827-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1078081533-651377827-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-08-08 c:\windows\Tasks\User_Feed_Synchronization-{C2C2478F-6D2C-40DD-A921-EAC8F6C2755B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = download.cnet.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4E93CCAB-1EE4-4288-BE8E-66BB32790988} - c:\documents and settings\user\Local Settings\Application Data\{4E93CCAB-1EE4-4288-BE8E-66BB32790988}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 14:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-651377827-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,04,0e,e6,63,b0,c7,41,99,d5,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,04,0e,e6,63,b0,c7,41,99,d5,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-17  14:49:12
ComboFix-quarantined-files.txt  2010-08-17 18:49

Pre-Run: 139,809,206,272 bytes free
Post-Run: 140,151,341,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DB0003B2D30A579367022F87AFD73AB3


Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:02 PM, on 8/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = download.cnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NliaClient] C:\Program Files\NLIA\Netpia.exe
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [Advanced Spyware Remover] "C:\Program Files\IObit\Advanced Spyware Remover\ASRtray.exe" /autostart
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [Advanced System Protector] "C:\Program Files\Systweak\Advanced System Protector\ASP.exe" /autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Bluetooth Manager.lnk = ?
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ASRservice - IObit - C:\Program Files\IObit\Advanced Spyware Remover\ASRsrv.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5367 bytes


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4440

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/17/2010 4:09:38 PM
mbam-log-2010-08-17 (16-09-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 163806
Time elapsed: 18 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flqsupkm (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsdk64_32.exe (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## johnb35 (Aug 18, 2010)

Did you have malwarebytes remove those infections by clicking on the remove selected button?  I'm at work now but will post more instructions tonight when I get home.


----------



## Cybercookie (Aug 19, 2010)

Yes, malwarebytes removed all of these.  It removed many more before I started this thread.


----------



## johnb35 (Aug 19, 2010)

Please rerun hijackthis and place checks next to the following entries.

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NliaClient] C:\Program Files\NLIA\Netpia.exe
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [Advanced Spyware Remover] "C:\Program Files\IObit\Advanced Spyware Remover\ASRtray.exe" /autostart
O4 - HKLM\..\Run: [Advanced System Protector] "C:\Program Files\Systweak\Advanced System Protector\ASP.exe" /autorun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)

Then click on fix checked at the bottom.

Please post an uninstall list using hijackthis.  Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it, then copy and paste it back here.  

I see that you have superantispyware installed. Please update it and run a scan and post the log along with a fresh hijackthis log.  To get the SAS log click on the preferences button on the main page and then click on the statistics/logs tab and then open the log and copy and paste it back here.


----------



## OverClocker (Aug 19, 2010)

What I did when I had this problem a year ago  was the last resort: reformatted it. I had to call back my ISP to say sorry. I was irate and blamed them after weeks of no internet connection. Nobody even dared to say "hey, maybe some virus is blocking your connection".


----------



## Cybercookie (Aug 19, 2010)

The Internet is still blocked in normal mode but mostly works in Safe Mode.  Even in Safe mode the redirect problem still occurs when I try to update Windows.  The computer will not display the update windows page.  My attempt to download HijackThis Version 2.0.4 produced a note from Windows Installer saying "The system administrator has set policies to prevent this installation."  I got the new version using a flash drive and another computer.  Superantispyware updated without difficulty.

Here are the logs you requested.

Uninstall list from hijackthis

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.2
Advanced Spyware Remover
Advanced System Protector
BatteryBar (remove only)
Bluetooth Stack for Windows by Toshiba
Broadcom Gigabit Integrated Controller
Conexant HDA D110 MDC V.92 Modem
DetectorTools
Dragon NaturallySpeaking 10
Driver Whiz
Emsisoft Anti-Malware 5.0
ESET Online Scanner v3
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IObit Security 360
Java(TM) 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.6.6)
MSN
MSN Toolbar
MSN Toolbar Platform
NVIDIA Drivers
Oz776 SCR Driver V1.1.4.2
PC-Clean
PowerDVD
QuickSet
RealPlayer
RealUpgrade 1.0
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SigmaTel Audio
Skype Toolbars
Skype™ 4.2
Sonic CinePlayer Decoder Pack
Spybot - Search & Destroy
Spyware Terminator
Spyware Vaccine 4.0
SpywareBlaster 4.3
SUPERAntiSpyware
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ Runtime for Dragon NaturallySpeaking
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinPatrol
WinUtilities 9.77 Free Edition


SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/19/2010 at 01:59 PM
Application Version : 4.40.1002
Core Rules Database Version : 5381
Trace Rules Database Version: 3193
Scan type       : Complete Scan
Total Scan Time : 00:15:00
Memory items scanned      : 315
Memory threats detected   : 0
Registry items scanned    : 6387
Registry threats detected : 0
File items scanned        : 13213
File threats detected     : 53
Adware.Tracking Cookie
 C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwindows.112.2o7[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@advertise[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@amlocalhost.trymedia[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@www.googleadservices[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[1].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
 C:\Documents and Settings\Administrator\Cookies\administrator@ehg-eset.hitbox[2].txt
 .revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .apmebf.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .mediaplex.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .mediaplex.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .advertise.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 counter.surfcounters.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .bizzclick.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .adbrite.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .adbrite.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .adbrite.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .adbrite.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .hitbox.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .ehg-eset.hitbox.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .hitbox.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 bridge2.admarketplace.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 .admarketplace.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\cookies.sqlite ]
 cdn4.specificclick.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\UGA9K4VP ]
 media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\UGA9K4VP ]
 objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\UGA9K4VP ]
 secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\UGA9K4VP ]
 C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
 C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
 C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
 C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
 C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
 C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
 C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
 C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:05:25 PM, on 8/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = download.cnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: ASRservice - IObit - C:\Program Files\IObit\Advanced Spyware Remover\ASRsrv.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 3835 bytes


----------



## johnb35 (Aug 20, 2010)

Please post a hijackthis log from regular bootup mode, not safe mode.  There has to be something running that is blocking your internet.  Have you tried downloading a browser like firefox and seeing if it can access the internet in regular mode?


----------



## Cybercookie (Aug 20, 2010)

OverClocker
I hope I can avoid reformatting but many problems remain.  johnb35 is doing me a great service.  However this is finally resolved I will learn a great deal.  Thanks for your interest.


----------



## Cybercookie (Aug 20, 2010)

Firefox is blocked in regular mode and often redirected in Safe Mode.  Several attempts to download and install Google Chrome using Safe Mode have failed.  I could probably get it from a flash drive.

I can post links I have been redirected to if this would help.  I have no way to know if they are safe so I hesitate to post them where they might cause someone a problem.  Redirects occur in both Firefox and Explorer. 

Here is the hijackthis log from regular bootup mode.  It can only be sent using Safe Mode.  I use Yahoo mail to get my post to a second computer.  From there I send it to Computer Forum.  Attempts to send it directly to you from the infected computer produce the message:

The connection was reset

The connection to the server was reset while the page was loading.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:32:13 AM, on 8/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\IObit\Advanced Spyware Remover\ASRsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://librivox.org/newcatalog/visitor_advanced.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Bluetooth Manager.lnk = ?
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: ASRservice - IObit - C:\Program Files\IObit\Advanced Spyware Remover\ASRsrv.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5569 bytes


----------



## johnb35 (Aug 21, 2010)

Please download *rkill.scr* and run it and see if it deletes an an active process that could be blocking your internet.  Once its done running a log will appear.  If this don't show anything, I have no clue what could be going on.

You can also try resetting IE's settings by doing this.

Open up internet options and click on the advanced tab, click on the reset button under where it says reset IE's settings.  Also click on the security tab and click on where it says reset all zones to default level.

You may also want to try downloading and running *dial-a-fix*.


----------



## Cybercookie (Aug 22, 2010)

I download and ran rkill.scr.  It only found 1 item which ended 
Downloads/rkill.scr.    I reset IE's settings as suggested.  I 
clicked on the security tab but could not find how to reset all 
zones to default level.  I downloaded and ran dial-a-fix.  I 
noticed no change in the computer as a result of any of this.

Let me thank you again for your help.  I can try more things if 
you have more suggestions.  It looks like the malware has won 
this round.

I recall you saying on another thread "The only thing that you 
really can't remove is the Virut infection."  (See Post #8 of 
"Windows re-installation vs. Virus Removal" posted by lubolat on 
06-03-2010, 07:00 PM)  If I knew what was effecting my computer 
we could consider adding it to the list.

I ran about 10 or 12 antivirus and anti-malware programs before 
starting this thread.  In addition to finding each other they 
found over 100 Trojans, Keystroke lagers, backdoors etc.  When I 
re-ran them several times they kept finding things but the number 
went down.  I suspect the malware was being reinstalled.  
Possibly reinfections were occurring with the redirects.

The work required to clean this computer using various scans may 
be more than it is worth.  There is nothing wrong with the 
hardware.  It needs to be made usable again.  The following steps 
come to mind:

1.  Backup the system to an external hard drive.
2.  Reformat the computer.
3.  Use a flash drive to install an operating system and browser.
4.  Reinstall my software and external devices. 
5.  Backup the new system to an external hard drive.

Instead of using a flash drive I could order a recovery disc or 
Microsoft Windows CD.  I should not have to buy Windows XP in 
this situation.  I could survive with nothing from Microsoft.  
I have never done anything like this before.  How would you 
suggest I proceed?  If I need to buy a recovery disc or other 
software what would you suggest?


----------



## johnb35 (Aug 24, 2010)

Please download the new version of combofix from here and place it on your desktop.

http://download.bleepingcomputer.co...29a5b6b86fd5ed2fc065610/4c732d3d/ComboFix.exe


1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box




```
Killall::

File::
c:\windows\Onefewiy.dat
c:\windows\Fjayakiwikis.bin
c:\windows\system32\config\systemprofile\Application Data\ranmiq.dat
```

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## Cybercookie (Aug 25, 2010)

No change in computer.  The Internet is still blocked in normal mode 
but works in Safe Mode.  Even in Safe Mode redirects occur at times  
and some things are blocked like Microsoft Updates.  Your instructions 
were followed in Safe Mode.  

Here is the log you requested.  It looks like ComboFix deleted the file 
given to it.  

ComboFix 10-08-24.02 - Administrator 08/24/2010  13:16:34.3.2 - x86 

NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1759 

[GMT -4:00]
Running from: c:\documents and settings\Administrator\My 

Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and 

settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\Fjayakiwikis.bin"
"c:\windows\Onefewiy.dat"
"c:\windows\system32\config\systemprofile\Application Data\ranmiq.dat"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   

)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fjayakiwikis.bin
c:\windows\Onefewiy.dat
c:\windows\system32\config\systemprofile\Application Data\ranmiq.dat

.
(((((((((((((((((((((((((   Files Created from 2010-07-24 to 2010-08-24 

 )))))))))))))))))))))))))))))))
.

2010-08-21 20:55 . 2010-08-21 20:55	63488	----a-w-	

c:\documents and settings\user\Application 

Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-21 20:55 . 2010-08-21 20:55	52224	----a-w-	

c:\documents and settings\user\Application 

Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-21 20:55 . 2010-08-21 20:55	117760	----a-w-	

c:\documents and settings\user\Application 

Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-21 20:54 . 2010-08-21 20:54	--------	d-----w-	

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2010-08-21 20:46 . 2010-08-24 17:15	--------	d-----w-	

c:\windows\system32\CatRoot2
2010-08-18 01:34 . 2010-08-18 01:34	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Trymedia
2010-08-18 01:05 . 2010-08-18 01:27	--------	d-----w-	

c:\documents and settings\Administrator\Local Settings\Application 

Data\Temp
2010-08-18 01:05 . 2010-08-18 01:06	--------	d-----w-	

c:\documents and settings\Administrator\Local Settings\Application 

Data\Google
2010-08-17 22:19 . 2010-08-22 01:15	--------	d-----w-	

c:\program files\Emsisoft Anti-Malware
2010-08-17 20:26 . 2010-08-17 20:26	--------	d-----w-	

c:\documents and settings\user\Local Settings\Application Data\Mozilla
2010-08-17 20:19 . 2010-08-17 20:19	--------	d-----w-	

c:\documents and settings\user\Application Data\Systweak
2010-08-17 20:19 . 2010-08-17 20:19	--------	d-----w-	

c:\documents and settings\user\Application Data\WinPatrol
2010-08-17 19:42 . 2010-08-17 19:42	--------	d-----w-	

c:\documents and settings\user\Application Data\Malwarebytes
2010-08-08 23:08 . 2010-08-08 23:08	--------	d--h--w-	

c:\windows\system32\GroupPolicy
2010-08-08 21:43 . 2010-08-08 21:43	12328	----a-w-	

c:\documents and settings\Administrator\Local Settings\Application 

Data\GDIPFONTCACHEV1.DAT
2010-08-08 21:02 . 2010-08-08 21:02	--------	d-----w-	

c:\documents and settings\Administrator\Application Data\InstallShield
2010-08-08 06:22 . 2010-08-08 06:22	--------	d-----w-	

c:\documents and settings\NetworkService\Local Settings\Application 

Data\Adobe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   

))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 00:21 . 2010-07-08 23:32	1324	----a-w-	

c:\windows\system32\d3d9caps.dat
2010-08-21 22:08 . 2010-07-14 00:24	--------	d-----w-	

c:\program files\WinUtilities
2010-08-21 20:59 . 2010-07-17 00:50	63488	----a-w-	

c:\documents and settings\Administrator\Application 

Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-21 20:59 . 2010-07-17 00:50	117760	----a-w-	

c:\documents and settings\Administrator\Application 

Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-18 01:14 . 2010-07-17 21:12	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Norton
2010-08-17 22:17 . 2010-07-17 18:19	--------	d-----w-	

c:\program files\a-squared Free
2010-08-17 20:49 . 2010-06-29 00:16	--------	d---a-w-	

c:\documents and settings\All Users\Application Data\TEMP
2010-08-17 20:12 . 2010-07-13 19:18	--------	d-----w-	

c:\program files\Malwarebytes' Anti-Malware
2010-08-03 21:38 . 2010-07-17 00:27	--------	d-----w-	

c:\program files\SpywareBlaster
2010-07-20 00:28 . 2010-07-20 00:27	43488992	----a-w-	

c:\documents and settings\All Users\Application Data\Systweak\Advanced 

System Protector\Antispyware_Setup_7_19_2010.exe
2010-07-20 00:16 . 2010-07-17 20:25	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-07-20 00:16 . 2010-07-17 20:25	--------	d-----w-	

c:\documents and settings\Administrator\Application Data\Spyware 

Terminator
2010-07-20 00:15 . 2010-07-17 20:24	--------	d-----w-	

c:\program files\Spyware Terminator
2010-07-19 22:24 . 2010-07-17 23:56	--------	d-----w-	

c:\program files\PC-Clean
2010-07-19 22:11 . 2010-07-19 22:11	--------	d-----w-	

c:\program files\ESET
2010-07-18 00:45 . 2010-07-17 20:04	--------	d-----w-	

c:\documents and settings\All Users\Application Data\IObit
2010-07-18 00:45 . 2010-07-17 20:04	--------	d-----w-	

c:\program files\IObit
2010-07-18 00:42 . 2010-07-17 23:56	--------	d-----w-	

c:\program files\NLIA
2010-07-18 00:41 . 2010-07-18 00:41	--------	d-----w-	

c:\program files\Spyware Vaccine
2010-07-18 00:12 . 2010-07-18 00:11	43488992	----a-w-	

c:\documents and settings\All Users\Application Data\Systweak\Advanced 

System Protector\Antispyware_Setup_7_17_2010.exe
2010-07-18 00:10 . 2010-07-18 00:10	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Systweak
2010-07-18 00:10 . 2010-07-18 00:10	--------	d-----w-	

c:\documents and settings\Administrator\Application Data\Systweak
2010-07-18 00:09 . 2010-07-18 00:09	--------	d-----w-	

c:\program files\Systweak
2010-07-17 23:56 . 2009-11-12 19:28	--------	d--h--w-	

c:\program files\InstallShield Installation Information
2010-07-17 20:42 . 2010-07-17 20:42	23552	----a-w-	

c:\windows\system32\drivers\phooks.sys
2010-07-17 20:35 . 2010-07-17 20:35	--------	d-----w-	

c:\documents and settings\Administrator\Application Data\WinPatrol
2010-07-17 20:35 . 2010-07-17 20:35	--------	d-----w-	

c:\program files\BillP Studios
2010-07-17 20:25 . 2010-07-17 20:25	6144	----a-w-	

c:\documents and settings\All Users\Application Data\Spyware 

Terminator\sp_rsdel.exe
2010-07-17 20:25 . 2010-07-17 20:25	5632	----a-w-	

c:\documents and settings\All Users\Application Data\Spyware 

Terminator\fileobjinfo.sys
2010-07-17 20:25 . 2010-07-17 20:25	142592	----a-w-	

c:\windows\system32\drivers\sp_rsdrv2.sys
2010-07-17 00:50 . 2010-07-17 00:50	52224	----a-w-	

c:\documents and settings\Administrator\Application 

Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-17 00:49 . 2010-07-17 00:49	--------	d-----w-	

c:\program files\SUPERAntiSpyware
2010-07-17 00:49 . 2010-07-17 00:49	--------	d-----w-	

c:\documents and settings\All Users\Application 

Data\SUPERAntiSpyware.com
2010-07-17 00:49 . 2010-07-17 00:49	--------	d-----w-	

c:\documents and settings\Administrator\Application 

Data\SUPERAntiSpyware.com
2010-07-17 00:43 . 2010-07-17 00:43	--------	d-----w-	

c:\program files\Trend Micro
2010-07-17 00:31 . 2010-07-17 00:31	0	----a-w-	

c:\windows\nsreg.dat
2010-07-16 23:33 . 2010-07-16 23:30	--------	d-----w-	

c:\program files\Spybot - Search & Destroy
2010-07-16 23:32 . 2010-07-16 23:30	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Spybot - Search & 

Destroy
2010-07-16 23:24 . 2010-07-16 23:24	--------	dc----w-	

c:\documents and settings\All Users\Application 

Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-13 19:18 . 2010-07-13 19:18	--------	d-----w-	

c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-13 19:18 . 2010-07-13 19:18	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 01:07 . 2010-06-07 01:12	--------	d-----w-	

c:\documents and settings\user\Application Data\Skype
2010-07-05 21:05 . 2010-06-07 01:14	--------	d-----w-	

c:\documents and settings\user\Application Data\skypePM
2010-07-04 16:29 . 2010-07-04 16:29	--------	d-----w-	

c:\program files\MSN Toolbar Installer
2010-07-04 16:29 . 2010-07-04 16:29	--------	d-----w-	

c:\program files\MSN Toolbar
2010-07-04 16:29 . 2010-07-04 16:29	--------	d-----w-	

c:\program files\Microsoft
2010-07-04 16:29 . 2010-07-04 16:29	--------	d-----w-	

c:\documents and settings\All Users\Application Data\UAB
2010-07-04 16:28 . 2010-07-04 16:28	--------	d-----w-	

c:\program files\Driver Whiz
2010-07-01 17:26 . 2010-07-01 17:26	--------	d-----w-	

c:\documents and settings\All Users\Application Data\nView_Profiles
2010-06-30 00:52 . 2010-06-30 00:52	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Driver Medic
2010-06-29 22:38 . 2010-06-29 22:38	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Driver Whiz
2010-06-29 00:16 . 2010-06-29 00:16	--------	d-----w-	

c:\documents and settings\user\Application Data\Nuance
2010-06-29 00:03 . 2010-06-29 00:03	--------	d-----w-	

c:\program files\Common Files\ScanSoft Shared
2010-06-29 00:03 . 2010-06-29 00:03	--------	d-----w-	

c:\program files\Common Files\Nuance
2010-06-29 00:03 . 2010-06-29 00:03	--------	d-----w-	

c:\documents and settings\All Users\Application Data\ScanSoft
2010-06-29 00:00 . 2010-06-29 00:00	--------	d-----w-	

c:\program files\Nuance
2010-06-29 00:00 . 2010-06-29 00:00	--------	d-----w-	

c:\documents and settings\All Users\Application Data\Nuance
2010-06-28 23:42 . 2010-06-28 23:42	--------	d-----w-	

c:\documents and settings\All Users\Application Data\CyberLink
2010-06-19 19:09 . 2010-06-19 19:09	49152	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffb

rowserrecordext.dll
2010-06-19 19:09 . 2010-06-19 19:09	45056	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-19 19:09 . 2010-06-19 19:09	45056	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-19 19:09 . 2010-06-19 19:09	45056	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-19 19:09 . 2010-06-19 19:09	45056	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-19 19:09 . 2010-06-19 19:09	40960	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrec

ordhelper.dll
2010-06-19 19:09 . 2010-06-19 19:09	308808	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplug

in.dll
2010-06-19 19:09 . 2010-06-19 19:09	14848	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videos

him.dll
2010-06-19 19:09 . 2010-06-19 19:09	341600	----a-w-	

c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-19 19:09 . 2009-11-12 21:00	499712	----a-w-	

c:\windows\system32\msvcp71.dll
2010-06-19 19:09 . 2009-11-12 21:00	348160	----a-w-	

c:\windows\system32\msvcr71.dll
2010-06-07 01:14 . 2010-06-07 01:14	56	---ha-w-	

c:\windows\system32\ezsidmv.dat
.

(((((((((((((((((((((((((((((   SnapShot@2010-08-17_18.46.27   

)))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2010-08-17 18:12	71060              

c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-24 17:07	71060              

c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-24 17:07	441124              

c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-08-17 18:12	441124              

c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   

))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program 

files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-29 2403568]
"SpywareTerminatorUpdate"="c:\program files\Spyware 

Terminator\SpywareTerminatorUpdate.exe" [2010-07-17 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major 

Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 

761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" 

[2007-07-20 1228800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IObit Security 360"="c:\program files\IObit\IObit Security 

360\IS360tray.exe" [2010-06-11 1280344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba 

Stack\TosBtMng.exe [2005-11-18 1724416]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\

ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program 

files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows 

nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21	548352	----a-w-	c:\program 

files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0sasnative32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile

]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile

\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [7/17/2010 4:42 

PM 23552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys 

[2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS 

[5/10/2010 2:41 PM 67656]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program 

files\Emsisoft Anti-Malware\a2service.exe [8/17/2010 6:19 PM 1935656]
S2 ASRservice;ASRservice;c:\program files\IObit\Advanced Spyware 

Remover\ASRsrv.exe [7/17/2010 8:48 PM 697104]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 

360\is360srv.exe [7/17/2010 8:50 PM 312152]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys 

[8/17/2010 6:19 PM 71008]
.
Contents of the 'Scheduled Tasks' folder

2010-08-22 

c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1078081533-651377827-1417

001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-03 

c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1078081533-651377827-

1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-08-21 

c:\windows\Tasks\User_Feed_Synchronization-{C2C2478F-6D2C-40DD-A921-EAC

8F6C2755B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = download.cnet.com
FF - ProfilePath - c:\documents and settings\Administrator\Application 

Data\Mozilla\Firefox\Profiles\mzkvtwkt.default\
FF - component: c:\program files\Microsoft\Search Enhancement 

Pack\Search 

Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelpe

rff.dll
FF - plugin: c:\documents and settings\All Users\Application 

Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videos

him.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: 

{20a82645-c095-46ed-80e3-08825760534b} - 

c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation 

Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4E93CCAB-1EE4-4288-BE8E-66BB32790988} 

- c:\documents and settings\user\Local Settings\Application 

Data\{4E93CCAB-1EE4-4288-BE8E-66BB32790988}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - 

pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - 

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_av

ailable_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - 

pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - 

pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - 

pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", 

"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", 

"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - 

pref("dom.ipc.plugins.enabled", false);
.

***********************************************************************

***

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by 

Gmer, http://www.gmer.net
Rootkit scan 2010-08-24 13:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

***********************************************************************

***
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-651377827-1417001333-500\Software\Micro

soft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,d

f,01,15,


d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,04,0e,e6,63,b0,c7,41,99,d5

,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,d

f,01,15,


d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,04,0e,e6,63,b0,c7,41,99,d5

,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872

502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10

h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872

502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872

502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872

502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C

-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C

-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C

-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes 

---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-08-24  13:27:43 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-24 17:27
ComboFix2.txt  2010-08-24 16:12
ComboFix3.txt  2010-08-17 18:49

Pre-Run: 140,129,804,288 bytes free
Post-Run: 140,113,809,408 bytes free

- - End Of File - - 2598FFB22149F3898795105F87291E7F


----------



## johnb35 (Aug 25, 2010)

There are a few more things we can do.

1.  I'm gonna have you uninstall some programs, its seems you have way too many malware and other utility programs installed and i'm wondering if some came with malware in them.  Let me know if you actually paid for any of these programs before you actually uninstall them.  

Please uninstall the following programs.

Advanced Spyware Remover
Advanced System Protector
BatteryBar (remove only)
DetectorTools
Driver Whiz
Emsisoft Anti-Malware 5.0
Java(TM) 6 Update 17
PC-Clean
Spybot - Search & Destroy
Spyware Terminator
Spyware Vaccine 4.0
WinPatrol
WinUtilities 9.77 Free Edition

2.  Please download TDSSKILLER

Download the file *TDSSKiller.zip* and save it on your desktop
Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
Double-click the tdsskiller Folder on your desktop.
Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
Highlight and copy (Ctrl+C) the text in the codebox below.


```
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
```


Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
Wait for the scan and disinfection process to be over.
Open tdskiller.txt on your desktop and post the contents in your next reply.


----------



## Cybercookie (Aug 25, 2010)

I uninstalled the programs you listed and also SpywareBlaster 4.3.  The program you suggested found and removed threats but the computer remained infected.

Here is the log you requested. 


2010/08/25 11:11:47.0250	TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/25 11:11:47.0250	

================================================================================
2010/08/25 11:11:47.0250	SystemInfo:
2010/08/25 11:11:47.0250	
2010/08/25 11:11:47.0250	OS Version: 5.1.2600 ServicePack: 3.0
2010/08/25 11:11:47.0250	Product type: Workstation
2010/08/25 11:11:47.0250	ComputerName: DELL08879
2010/08/25 11:11:47.0250	UserName: Administrator
2010/08/25 11:11:47.0250	Windows directory: C:\WINDOWS
2010/08/25 11:11:47.0250	System windows directory: C:\WINDOWS
2010/08/25 11:11:47.0250	Processor architecture: Intel x86
2010/08/25 11:11:47.0250	Number of processors: 2
2010/08/25 11:11:47.0250	Page size: 0x1000
2010/08/25 11:11:47.0250	Boot type: Safe boot with network
2010/08/25 11:11:47.0250	

================================================================================
2010/08/25 11:11:47.0453	Initialize success
2010/08/25 11:12:00.0921	

================================================================================
2010/08/25 11:31:11.0421	Scan started
2010/08/25 11:31:11.0421	Mode: Manual;
2010/08/25 11:31:11.0421	
================================================================================
2010/08/25 11:31:12.0234	ACPI            (8fd99680a539792a30e97944fdaecf17) 

C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/25 11:31:12.0281	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) 

C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/25 11:31:12.0437	aec             (8bed39e3c35d6a489438b8141717a557) 

C:\WINDOWS\system32\drivers\aec.sys
2010/08/25 11:31:12.0500	AFD             (7e775010ef291da96ad17ca4b17137d7) 

C:\WINDOWS\System32\drivers\afd.sys
2010/08/25 11:31:12.0781	APPDRV          (ec94e05b76d033b74394e7b2175103cf) 

C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2010/08/25 11:31:12.0875	Arp1394         (b5b8a80875c1dededa8b02765642c32f) 

C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/25 11:31:13.0125	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) 

C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/25 11:31:13.0171	atapi           (5f99255f4191b5b318ec6636e9e5a128) 

C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/25 11:31:13.0171	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. 

Real md5: 5f99255f4191b5b318ec6636e9e5a128, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/08/25 11:31:13.0203	atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/25 11:31:13.0343	Atmarpc         (9916c1225104ba14794209cfa8012159) 

C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/25 11:31:13.0406	audstub         (d9f724aa26c010a217c97606b160ed68) 

C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/25 11:31:13.0515	b57w2k          (c0acd392ece55784884cc208aafa06ce) 

C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/08/25 11:31:13.0640	BCM43XX         (345d38f298368dd6b0df5c4f37457a22) 

C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/08/25 11:31:13.0750	BCOREUSB        (40f8c4c10ed67b1de44abf82582bac37) 

C:\WINDOWS\system32\Drivers\BCOREUSB.sys
2010/08/25 11:31:13.0796	Beep            (da1f27d85e0d1525f6621372e7b685e9) 

C:\WINDOWS\system32\drivers\Beep.sys
2010/08/25 11:31:13.0890	BthEnum         (b279426e3c0c344893ed78a613a73bde) 

C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2010/08/25 11:31:13.0937	BthPan          (80602b8746d3738f5886ce3d67ef06b6) 

C:\WINDOWS\system32\DRIVERS\bthpan.sys
2010/08/25 11:31:14.0015	BTHPORT         (662bfd909447dd9cc15b1a1c366583b4) 

C:\WINDOWS\system32\Drivers\BTHport.sys
2010/08/25 11:31:14.0125	BTHUSB          (61364cd71ef63b0f038b7e9df00f1efa) 

C:\WINDOWS\system32\Drivers\BTHUSB.sys
2010/08/25 11:31:14.0234	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) 

C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/25 11:31:14.0328	Cdaudio         (c1b486a7658353d33a10cc15211a873b) 

C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/25 11:31:14.0390	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) 

C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/25 11:31:14.0500	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) 

C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/25 11:31:14.0625	CmBatt          (0f6c187d38d98f8df904589a5f94d411) 

C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/25 11:31:14.0718	Compbatt        (6e4c9f21f0fae8940661144f41b13203) 

C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/25 11:31:15.0109	Disk            (044452051f3e02e7963599fc8f4f3e25) 

C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/25 11:31:15.0156	DLABMFSM        (a0500678a33802d8954153839301d539) 

C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2010/08/25 11:31:15.0187	DLABOIOM        (b8d2f68cac54d46281399f9092644794) 

C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2010/08/25 11:31:15.0234	DLACDBHM        (0ee93ab799d1cb4ec90b36f3612fe907) 

C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/08/25 11:31:15.0265	DLADResM        (87413b94ae1fabc117c4e8ae6725134e) 

C:\WINDOWS\system32\Drivers\DLADResM.SYS
2010/08/25 11:31:15.0312	DLAIFS_M        (766a148235be1c0039c974446e4c0edc) 

C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2010/08/25 11:31:15.0359	DLAOPIOM        (38267cca177354f1c64450a43a4f7627) 

C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2010/08/25 11:31:15.0390	DLAPoolM        (fd363369fd313b46b5aeab1a688b52e9) 

C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2010/08/25 11:31:15.0437	DLARTL_M        (336ae18f0912ef4fbe5518849e004d74) 

C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2010/08/25 11:31:15.0484	DLAUDFAM        (fd85f682c1cc2a7ca878c7a448e6d87e) 

C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2010/08/25 11:31:15.0531	DLAUDF_M        (af389ce587b6bf5bbdcd6f6abe5eabc0) 

C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2010/08/25 11:31:15.0656	dmboot          (d992fe1274bde0f84ad826acae022a41) 

C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/25 11:31:15.0718	dmio            (7c824cf7bbde77d95c08005717a95f6f) 

C:\WINDOWS\system32\drivers\dmio.sys
2010/08/25 11:31:15.0796	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) 

C:\WINDOWS\system32\drivers\dmload.sys
2010/08/25 11:31:15.0843	DMusic          (8a208dfcf89792a484e76c40e5f50b45) 

C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/25 11:31:15.0984	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) 

C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/25 11:31:16.0062	DRVMCDB         (5d3b71bb2bb0009d65d290e2ef374bd3) 

C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/08/25 11:31:16.0125	DRVNDDM         (c591ba9f96f40a1fd6494dafdcd17185) 

C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/08/25 11:31:16.0234	Fastfat         (38d332a6d56af32635675f132548343e) 

C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/25 11:31:16.0281	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) 

C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/25 11:31:16.0328	Fips            (d45926117eb9fa946a6af572fbe1caa3) 

C:\WINDOWS\system32\drivers\Fips.sys
2010/08/25 11:31:16.0421	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) 

C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/25 11:31:16.0515	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) 

C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/25 11:31:16.0578	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) 

C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/25 11:31:16.0640	Ftdisk          (6ac26732762483366c3969c9e4d2259d) 

C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/25 11:31:16.0703	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) 

C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/25 11:31:16.0781	guardian2       (7031a936832967a93b0e5d5f1c76745a) 

C:\WINDOWS\system32\Drivers\oz776.sys
2010/08/25 11:31:16.0828	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) 

C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/25 11:31:16.0921	HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) 

C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/25 11:31:17.0093	HSF_DPV         (e8ec1767ea315a39a0dd8989952ca0e9) 

C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2010/08/25 11:31:17.0156	HSXHWAZL        (61478fa42ee04562e7f11f4dca87e9c8) 

C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2010/08/25 11:31:17.0265	HTTP            (f80a415ef82cd06ffaf0d971528ead38) 

C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/25 11:31:17.0406	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) 

C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/25 11:31:17.0468	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) 

C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/25 11:31:17.0671	intelppm        (8c953733d8f36eb2133f5bb58808b66b) 

C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/25 11:31:17.0718	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) 

C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/25 11:31:17.0750	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) 

C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/25 11:31:17.0828	IpInIp          (b87ab476dcf76e72010632b5550955f5) 

C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/25 11:31:17.0875	IpNat           (cc748ea12c6effde940ee98098bf96bb) 

C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/25 11:31:17.0937	IPSec           (23c74d75e36e7158768dd63d92789a91) 

C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/25 11:31:18.0015	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) 

C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/25 11:31:18.0109	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) 

C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/25 11:31:18.0187	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) 

C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/25 11:31:18.0250	kmixer          (692bcf44383d056aed41b045a323d378) 

C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/25 11:31:18.0328	KSecDD          (b467646c54cc746128904e1654c750c1) 

C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/25 11:31:18.0515	mdmxsdk         (e246a32c445056996074a397da56e815) 

C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/08/25 11:31:18.0593	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) 

C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/25 11:31:18.0671	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) 

C:\WINDOWS\system32\drivers\Modem.sys
2010/08/25 11:31:18.0734	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) 

C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/25 11:31:18.0812	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) 

C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/25 11:31:18.0859	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) 

C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/25 11:31:18.0953	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) 

C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/25 11:31:19.0015	MRxSmb          (f3aefb11abc521122b67095044169e98) 

C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/25 11:31:19.0109	Msfs            (c941ea2454ba8350021d774daf0f1027) 

C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/25 11:31:19.0203	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) 

C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/25 11:31:19.0234	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) 

C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/25 11:31:19.0281	MSPQM           (bad59648ba099da4a17680b39730cb3d) 

C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/25 11:31:19.0328	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) 

C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/25 11:31:19.0406	Mup             (2f625d11385b1a94360bfc70aaefdee1) 

C:\WINDOWS\system32\drivers\Mup.sys
2010/08/25 11:31:19.0484	NDIS            (1df7f42665c94b825322fae71721130d) 

C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/25 11:31:19.0515	NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) 

C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/25 11:31:19.0578	Ndisuio         (f927a4434c5028758a842943ef1a3849) 

C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/25 11:31:19.0640	NdisWan         (edc1531a49c80614b2cfda43ca8659ab) 

C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/25 11:31:19.0703	NDProxy         (6215023940cfd3702b46abc304e1d45a) 

C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/25 11:31:19.0765	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) 

C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/25 11:31:19.0843	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) 

C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/25 11:31:20.0078	NETw5x32        (90f7fad201e62732cbe6625b07e4c8f1) 

C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2010/08/25 11:31:20.0203	NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) 

C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/25 11:31:20.0281	Npfs            (3182d64ae053d6fb034f44b6def8034a) 

C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/25 11:31:20.0343	Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) 

C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/25 11:31:20.0406	Null            (73c1e1f395918bc2c6dd67af7591a3ad) 

C:\WINDOWS\system32\drivers\Null.sys
2010/08/25 11:31:20.0625	nv              (77f427e51479c66c09f967d15b639b37) 

C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/25 11:31:20.0750	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) 

C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/25 11:31:20.0812	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) 

C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/25 11:31:20.0890	ohci1394        (ca33832df41afb202ee7aeb05145922f) 

C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/25 11:31:20.0968	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) 

C:\WINDOWS\system32\drivers\Parport.sys
2010/08/25 11:31:21.0015	PartMgr         (beb3ba25197665d82ec7065b724171c6) 

C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/25 11:31:21.0062	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) 

C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/25 11:31:21.0125	PCI             (a219903ccf74233761d92bef471a07b1) 

C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/25 11:31:21.0203	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) 

C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/25 11:31:21.0281	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) 

C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/25 11:31:21.0625	phooks          (bf017d9a12d049fde1591f9f96c63431) 

C:\WINDOWS\system32\drivers\phooks.sys
2010/08/25 11:31:21.0718	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) 

C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/25 11:31:21.0765	PSched          (09298ec810b07e5d582cb3a3f9255424) 

C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/25 11:31:21.0812	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) 

C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/25 11:31:21.0875	PxHelp20        (49452bfcec22f36a7a9b9c2181bc3042) 

C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/25 11:31:22.0125	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) 

C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/25 11:31:22.0203	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) 

C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/25 11:31:22.0296	RasPppoe        (5bc962f2654137c9909c3d4603587dee) 

C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/25 11:31:22.0328	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) 

C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/25 11:31:22.0375	Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) 

C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/25 11:31:22.0421	RDPCDD          (4912d5b403614ce99c28420f75353332) 

C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/25 11:31:22.0500	rdpdr           (15cabd0f7c00c47c70124907916af3f1) 

C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/25 11:31:22.0609	RDPWD           (6728e45b66f93c08f11de2e316fc70dd) 

C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/25 11:31:22.0656	redbook         (f828dd7e1419b6653894a8f97a0094c5) 

C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/25 11:31:22.0750	RFCOMM          (851c30df2807fcfa21e4c681a7d6440e) 

C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2010/08/25 11:31:22.0828	rimmptsk        (d85e3fa9f5b1f29bb4ed185c450d1470) 

C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/08/25 11:31:22.0859	rimsptsk        (db8eb01c58c9fada00c70b1775278ae0) 

C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2010/08/25 11:31:22.0906	rismxdp         (6c1f93c0760c9f79a1869d07233df39d) 

C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2010/08/25 11:31:23.0031	SASDIFSV        (a3281aec37e0720a2bc28034c2df2a56) C:\Program 

Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/08/25 11:31:23.0078	SASKUTIL        (61db0d0756a99506207fd724e3692b25) C:\Program 

Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/08/25 11:31:23.0203	sdbus           (8d04819a3ce51b9eb47e5689b44d43c4) 

C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/08/25 11:31:23.0265	Secdrv          (90a3935d05b494a5a39d37e71f09a677) 

C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/25 11:31:23.0390	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) 

C:\WINDOWS\system32\drivers\Serial.sys
2010/08/25 11:31:23.0468	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) 

C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/25 11:31:23.0671	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) 

C:\WINDOWS\system32\drivers\splitter.sys
2010/08/25 11:31:23.0796	sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) 

C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/25 11:31:23.0875	Srv             (89220b427890aa1dffd1a02648ae51c3) 

C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/25 11:31:24.0015	STHDA           (951801dfb54d86f611f0af47825476f9) 

C:\WINDOWS\system32\drivers\sthda.sys
2010/08/25 11:31:24.0093	swenum          (3941d127aef12e93addf6fe6ee027e0f) 

C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/25 11:31:24.0187	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) 

C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/25 11:31:24.0453	SynTP           (fa2daa32bed908023272a0f77d625dae) 

C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/08/25 11:31:24.0515	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) 

C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/25 11:31:24.0625	Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) 

C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/25 11:31:24.0703	TDPIPE          (6471a66807f5e104e4885f5b67349397) 

C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/25 11:31:24.0750	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) 

C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/25 11:31:24.0828	TermDD          (88155247177638048422893737429d9e) 

C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/25 11:31:24.0921	toshidpt        (e362d54fd394999c4178936396664e57) 

C:\WINDOWS\system32\drivers\Toshidpt.sys
2010/08/25 11:31:25.0031	tosporte        (0470bf2d5f49ff98464ac2c838e6a080) 

C:\WINDOWS\system32\DRIVERS\tosporte.sys
2010/08/25 11:31:25.0093	Tosrfbd         (37a7d0d105110aafac6e982a2c49b8b6) 

C:\WINDOWS\system32\Drivers\tosrfbd.sys
2010/08/25 11:31:25.0109	Tosrfbnp        (613e09572f4c5b92ca6be8bdc4cc5b7d) 

C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2010/08/25 11:31:25.0171	Tosrfcom        (5ba1ca3b3cddb1ddc67df473f05d1ec2) 

C:\WINDOWS\system32\Drivers\tosrfcom.sys
2010/08/25 11:31:25.0218	Tosrfhid        (f4e4795528d17ff8d1d6d98ebbb92655) 

C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2010/08/25 11:31:25.0265	tosrfnds        (c52fd27b9adf3a1f22cb90e6bcf9b0cb) 

C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2010/08/25 11:31:25.0328	TosRfSnd        (b5518adb2b0029ff95d22e8e7336f49f) 

C:\WINDOWS\system32\drivers\TosRfSnd.sys
2010/08/25 11:31:25.0406	Tosrfusb        (1d19323d5bc7309d9df65dad5635005c) 

C:\WINDOWS\system32\Drivers\tosrfusb.sys
2010/08/25 11:31:25.0484	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) 

C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/25 11:31:25.0687	Update          (402ddc88356b1bac0ee3dd1580c76a31) 

C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/25 11:31:25.0781	usbaudio        (e919708db44ed8543a7c017953148330) 

C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/25 11:31:25.0921	usbccgp         (173f317ce0db8e21322e71b7e60a27e8) 

C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/25 11:31:26.0000	usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) 

C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/25 11:31:26.0093	usbhub          (1ab3cdde553b6e064d2e754efe20285c) 

C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/25 11:31:26.0156	USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) 

C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/25 11:31:26.0203	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) 

C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/25 11:31:26.0281	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) 

C:\WINDOWS\System32\drivers\vga.sys
2010/08/25 11:31:26.0359	VolSnap         (4c8fcb5cc53aab716d810740fe59d025) 

C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/25 11:31:26.0453	Wanarp          (e20b95baedb550f32dd489265c1da1f6) 

C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/25 11:31:26.0578	wdmaud          (6768acf64b18196494413695f0c3a00f) 

C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/25 11:31:26.0671	winachsf        (ba6b6fb242a6ba4068c8b763063beb63) 

C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2010/08/25 11:31:26.0859	WmiAcpi         (c42584fd66ce9e17403aebca199f7bdb) 

C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/08/25 11:31:26.0953	WpdUsb          (cf4def1bf66f06964dc0d91844239104) 

C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/08/25 11:31:27.0062	WudfPf          (f15feafffbb3644ccc80c5da584e6311) 

C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/25 11:31:27.0109	WudfRd          (28b524262bce6de1f7ef9f510ba3985b) 

C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/25 11:31:27.0312	

================================================================================
2010/08/25 11:31:27.0312	Scan finished
2010/08/25 11:31:27.0312	

================================================================================
2010/08/25 11:31:27.0359	Detected object count: 1
2010/08/25 11:31:57.0625	atapi           (5f99255f4191b5b318ec6636e9e5a128) 

C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/25 11:31:57.0625	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. 

Real md5: 5f99255f4191b5b318ec6636e9e5a128, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/08/25 11:31:58.0437	Backup copy found, using it..
2010/08/25 11:31:58.0453	C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after 

reboot
2010/08/25 11:31:58.0453	Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure


----------



## johnb35 (Aug 28, 2010)

Please uninstall all the addons under firefox as sometimes those can cause redirects and try surfing again.

Check in firefox to see if there is a proxy set.  Open FF, click on tools, options, advanced, click on network tab, click settings, make sure no proxy is set.

Download and run *Winsockxpfix* to see if this will fix your internet connection in regular mode.


----------



## Cybercookie (Aug 29, 2010)

Thank you.  Things have improved. 

Firefox was installed only after this problem started but I can recall downloading no addons.  When I checked there were 4.  The first one I un-installed.  The other 3 did not offer that option in Firefox.  I disabled these as that was the choice offered.  

The proxy settings was set on "Use system proxy settings".  I changed this to "No proxy"

I have not tested it long but have not seen any redirects in Firefox since doing these things.  Explorer is still blocked.  

I now have sound in my headset.  Skype has started to work.  

Many programs work but not all.  Some but not all downloads work.  Malwarebytes updated and ran in regular mode but found nothing.  Superantispyware would not update in regular mode.  It updated and ran in Safe Mode but found only Ad-ware Tracking Cookies.  I am still unable to update Windows but did upgrade to Internet Explorer 8.  However it still won`t work in Regular Mode.

Winsockxpfix was downloaded and run but did not fix the Internet connection in regular mode.  I did not see a log to send you.


----------



## johnb35 (Aug 30, 2010)

I've given you a couple days to test, has there been any more redirects?  Do you have the dell recovery cd's?  It's possible that they still have the option to repair the OS instead of just format and installing fresh.


----------



## Cybercookie (Aug 30, 2010)

I have not seen any more redirects in safe or regular mode using either Firefox or Explorer.  Explorer is still blocked in regular mode but works normally in Safe Mode.  On the other hand Skype works in regular mode but not safe mode.  I still can`t update Windows.  My headphones work in regular mode but not safe mode.

I bought this computer recently off Ebay and have no CD`s of any kind.  I have another computer for downloading onto a flash drive.  After the problems started System Restore showed no backups.  The computer would not do many things that it does now.  Few programs would start and external devices would not work.  I assumed this was due to the corruption and/or deletion of the registry.  I could be wrong about this.  How do I tell if my registry is OK?  

All scans I have run lately have found nothing but cookies.  Is it safe to assume that all Malware has been removed?


----------



## johnb35 (Sep 1, 2010)

I'm thinking you are clean now.  I would say contact Dell and see if they can send you replacement recovery cd's so that you can repair or reinstall the OS.


----------



## Cybercookie (Sep 5, 2010)

Blue Screen Of Death

There is one thing I neglected to mention.  From time to time the computer displays the Blue Screen Of Death.  This occurred several times during the cleaning of the computer.  It also occurred after your last post.  I have not detected a pattern in when this occurs but I had been using headphones before one incident.  However, I had stopped using the headphones before it occurred.  Is this Windows doing what it does or does it suggest that a virus is still in the system?  

Here are some details about the screen.  The screen says a problem has been detected and windows has been shut down to prevent damage to the computer.  There is no way to copy and paste this page.  The following line appears:

IROL_NOT_LESS_OR_EQUAL

Three paragraphs of suggestions follow.  I don`t see how I can use this information.  I have removed most of the antimalware programs I had installed earlier.  I could remove more but would not know what to remove or if it helped.  The following Technical information appears:

*** STOP: 0x0000000A (0xE56C6936, 0x00000002, 0x00000000, 0x804E3120)

Then there is a dump of physical memory and a suggestion I contact technical support for assistance.  
When this screen appears the buttons don`t work to restart the computer.  The only option I have found is to unplug the laptop and let the battery go down.  After this it restarts without any sign that anything is different.

I plan to obtain a recovery CD from Dell as I think this will be needed in any case.


----------



## johnb35 (Sep 6, 2010)

Could be a bad driver or failing hardware.  I would wait for your reinstallation cd and reinstall windows and see what happens.


----------



## Cybercookie (Sep 26, 2010)

I have backed up the computer as best I can.  Some things would not back up.  This included parts of Windows as well as a few other things.  I don`t understand this but I doubt if it matters.  I am afraid reinstalling anything from the infected computer would be unwise.  

I contacted Dell and ask for a copy of Windows I could use to reinstall the operating system.  They were very nice, especially considering that this is a used computer and I have never dealt with them before.  They sent me a Reinstallation CD for Windows XP SP3.  I assume this is what I need.  

Before I insert the CD and follow whatever instructions appear a question comes to mind.  Should I reformat before attempting to reinstall Windows?  Since reformatting can always be done latter it is tempting to just reinstall and see what happens.


----------



## johnb35 (Sep 27, 2010)

Whenever you want to do a fresh install, you need to delete the existing partitions, repartition and then format/install.


----------



## Cybercookie (Oct 16, 2010)

I reformatted and reinstalled Windows using the Reinstallation CD for Windows XP SP3.  It seemed to go well using instructions from the CD and Ehow.  The computer works but will not connect to the Internet.  I assume this relates to a lack of drivers.  I found the Dell site for downloading drivers using another computer.  I downloaded the first recommended driver, Notebook System Software (NSS), onto a flash drive and moved it to the computer I am fixing as a file.  Now I cannot get the driver to install.  This must be very basic but your suggestions would be appreciated.  Thanks,


----------



## johnb35 (Oct 16, 2010)

The only drivers you need to download and install are these...

audio - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=235761

chipset - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=149851

card reader - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=188377

video - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=234920

or video - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=203879

lan - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=153405

dial up modem - http://support.dell.com/support/dow...dateid=-1&formatid=-1&source=-1&fileid=150083

i would post links for the wireless drivers but there are too many to choose from.  Possibly having your service tag number would help.


----------



## Cybercookie (Dec 18, 2010)

Thank you again for your help.  I downloaded the suggested drivers and all seemed well.  Yesterday I tried to play Video from a DVD.  It would not play.  I went through the troubleshooting guide but nothing there helped.  I suspect reformatting deleted the DVD decoder.  How do I know if my computer has a DVD decoder?  If it does not where do I get one?  I will post this as a separate thread if you think that is better.


----------



## johnb35 (Dec 19, 2010)

Download and use VLC media player.

http://www.videolan.org/vlc/


----------



## jmh (Dec 27, 2010)

These viruses are sooooooo frustrating i just want to scream then cry,  It will not let me run a single thing (programe) also wont let me on the internet.  Im trying to install antivirus from cd wont let me do that.  I have installed the malware thing john suggested to no avail. I have tried the combofix thing also the rkill.exe.  Nothing!!! Everything i do it comes up with a box saying that the program or whatever im trying to run, is infected.  No S*&% sherlock!!!
I am at my wits end!!  Pleeeaase someone help me


----------



## gamblingman (Dec 27, 2010)

jmh please start your own thread on your computer issue.


----------



## JHM (Dec 30, 2010)

One neat way to avoid all this crap is do what I do. Put your boot drive in a Hotswap tray, and have a spare cartridge and spare drive ready to swap in if ever there are problems. Then you can format the infected drive and Ghost your OS partition back onto it from the reserve drive after formatting.


----------

