Malware

Picked up this nasty little piece of malware yesterday.  Something to do with "Microsoft Security Center 2012"  I see a few other posts here also.  Anyway it's blocking my AVG from running, I did run MBAM it found 800 objects but could not fix any of them,  I thought the MBAM might have been corrupted so I removed it and now I can't download it again. All I have is my Hijack this which has the "O1-Hosts: ::1 localhost" redirection which has been blocked from fixing except thru the start run etc command which I tried but can't seem to get to work.  I did manage to get a new AVG to run once and find no viruses, but now it's blocked from running. Please help.

[Moderator]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

You can download everything on another system and transfer them to the system in question.

Now it looks like I've only got one thing left.  In Hijack this, under hostfile redirections, the O1- Hosts: ::1 localhost line I need to delete, but when I try it it says that hijackthis has been denied access to the hostfile for some reason.  When I use the directions about start, run, and then it tells me to edit the file myself, I can't get it to work, what am i missing?

[Malware Removal Specialist]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
******************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

Here are the logs requested.  the host redirection is still there.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:21:01 AM, on 1/23/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\OAui.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe
O23 - Service: vToolbarUpdater - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
O23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
O23 - Service: WDFMEService - Western Digital  - C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
O23 - Service: WDRulesService - Western Digital  - C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe

--
End of file - 5436 bytes
Earl :: D7SXQY91 [administrator]

1/22/2012 2:36:16 PM
mbam-log-2012-01-22 (14-36-16).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244936
Time elapsed: 31 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2012 at 10:09 PM

Application Version : 5.0.1142

Core Rules Database Version : 8154
Trace Rules Database Version: 5966

Scan type       : Complete Scan
Total Scan Time : 00:32:33

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 422
Memory threats detected   : 0
Registry items scanned    : 23375
Registry threats detected : 56
File items scanned        : 84051
File threats detected     : 1

Adware.MyWebSearch/FunWebProducts
   HKU\S-1-5-21-2856773612-2364928292-2262524725-1006\SOFTWARE\FunWebProducts
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid32
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib#Version
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib#Version
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib#Version
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid32
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib#Version
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid32
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib#Version
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid32
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib#Version
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid32
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib#Version
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

Browser Hijacker.Internet Explorer Settings Hijack
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]

Adware.Tracking Cookie
   C:\DOCUMENTS AND SETTINGS\EARL\Cookies\earl@www.google[2].txt [ Cookie:earl@www.goog
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Earl at 6:48:28 on 2012-01-23
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3318.2710 [GMT -5:00]
.
AV: Malware Protection Center *Enabled/Updated* {0A22CD38-123B-4E0A-85D3-4F3C45DF26AB}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *Enabled*
FW: Malware Protection Center *Enabled*
FW:  *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{B1CEA017-F4BD-4A2E-B0E7-3A9471493943} : DhcpNameServer = 10.0.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: image file execution options - svchost.exe
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-22 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-22 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-22 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-22 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-22 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-22 4363040]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-19 909152]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-6-29 263056]
R2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-6-29 1592208]
R2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-6-29 1091984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-8-7 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-23 02:34:48   --------   d-----w-   c:\documents and settings\earl\application data\SUPERAntiSpyware.com
2012-01-23 02:33:53   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-23 02:33:53   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-22 19:26:38   --------   d-----w-   c:\documents and settings\earl\application data\OnlineArmor
2012-01-22 19:26:38   --------   d-----w-   c:\documents and settings\all users\application data\OnlineArmor
2012-01-22 19:26:14   40296   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-01-22 19:26:14   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-01-22 19:26:14   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-01-22 19:26:14   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-01-22 19:26:10   --------   d-----w-   c:\program files\Online Armor
2012-01-22 13:08:55   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-22 09:04:52   --------   d-----w-   c:\documents and settings\earl\application data\AVG2012
2012-01-22 08:09:21   --------   d-----w-   c:\documents and settings\all users\application data\AVG Secure Search
2012-01-21 17:57:21   --------   d-sh--w-   c:\documents and settings\earl\application data\Malware Protection Center
2012-01-21 17:57:20   --------   d-sh--w-   c:\documents and settings\all users\application data\MPDPJDIC
2012-01-21 17:56:25   --------   d-sh--w-   c:\documents and settings\all users\application data\29c85f
.
==================== Find3M  ====================
.
2011-12-28 22:27:35   2620   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2011-11-25 21:57:19   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35:08   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-16 22:49:12   2256   ----a-w-   c:\windows\current_settings.bin
2011-11-10 10:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-09 03:37:12   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-03 15:28:36   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28:36   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
.
============= FINISH:  6:52:21.45 ===============

[Malware Removal Specialist]

Download Combofix from any of the links below, and save it to your desktop. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

I disabled my AVG, downloaded the Combofix and it ran for about 3/4 of the way through the 'green screed' and then it suddenly stops running and dissappears.  I tried it several times, same thing.

I closed IE and it continued to run except it stops and warns me about the 'Malware protection center' scanner that's running, and to disable it.  Is it talking aboutm MBAM? or something else, I can't find any 'malware proterctiion center'.

[Malware Removal Specialist]

Ok. Let's try this. Delete ComboFix from your desktop and download a new version.

Download Combofix from any of the links below, and save it to your desktop. 

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

Refer to this image:

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click PCHelpForum.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Okay tried that, also disabled AVG like before, and closed IE, same thing happens.

[Malware Removal Specialist]

Please try running ComboFix in Safe mode.

Was able to run it in safe mode, and it made it a little farther into the scan then the same thing happened, the security center warning popped up.  where is this thing hiding?  I can't find it anywhere.

well somhow i was able to get Combofix to run. Here is the log report:
ComboFix 12-01-23.02 - Earl 01/24/2012  20:26:03.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3318.2802 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Malware Protection Center *Enabled/Updated* {0A22CD38-123B-4E0A-85D3-4F3C45DF26AB}
FW:  *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Malware Protection Center *Enabled* {4EA14CFC-3409-44BF-BC95-3D4160821E44}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\29c85f
c:\documents and settings\All Users\Application Data\29c85f\71.mof
c:\documents and settings\All Users\Application Data\29c85f\MPC.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\Earl\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a155ed85f72d3a41.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c7df7a3556de1eb9.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM051                   .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM051                   .MRK
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-25 to 2012-01-25  )))))))))))))))))))))))))))))))
.
.
2012-01-25 00:54 . 2012-01-25 00:56   --------   d-----w-   c:\documents and settings\Administrator
2012-01-23 11:32 . 2012-01-23 11:32   --------   d-----w-   c:\program files\Common Files\Java
2012-01-23 02:34 . 2012-01-23 02:34   --------   d-----w-   c:\documents and settings\Earl\Application Data\SUPERAntiSpyware.com
2012-01-23 02:33 . 2012-01-23 02:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-23 02:33 . 2012-01-23 02:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-22 19:26 . 2012-01-23 02:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2012-01-22 19:26 . 2012-01-22 19:27   --------   d-----w-   c:\documents and settings\Earl\Application Data\OnlineArmor
2012-01-22 19:26 . 2011-11-01 16:34   40296   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-01-22 19:26 . 2011-11-01 16:34   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-01-22 19:26 . 2011-11-01 16:34   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-01-22 19:26 . 2011-11-01 16:34   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-01-22 19:26 . 2012-01-24 01:01   --------   d-----w-   c:\program files\Online Armor
2012-01-22 13:08 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-22 09:04 . 2012-01-22 09:04   --------   d-----w-   c:\documents and settings\Earl\Application Data\AVG2012
2012-01-22 08:09 . 2012-01-22 08:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-01-21 17:57 . 2012-01-21 17:59   --------   d-sh--w-   c:\documents and settings\Earl\Application Data\Malware Protection Center
2012-01-21 17:57 . 2012-01-21 17:57   --------   d-sh--w-   c:\documents and settings\All Users\Application Data\MPDPJDIC
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-10 16:51   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 16:51   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-10 10:54 . 2011-06-20 12:05   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-07-02 00:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-09 03:37 . 2011-05-23 23:39   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2004-08-10 16:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51   385024   ------w-   c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 16:51   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 16:51   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 16:51   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50   33280   ----a-w-   c:\windows\system32\csrsrv.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-05 98304]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Quick View.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Quick View.lnk
backup=c:\windows\pss\WD Quick View.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34   106496   ----a-w-   c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 00:13   77824   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 00:17   118784   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 00:17   94208   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-08-16 17:45   2736128   ----a-w-   c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-05-05 18:02   98304   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/22/2012 2:26 PM 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/22/2012 2:26 PM 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/22/2012 2:26 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/22/2012 2:26 PM 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/22/2012 2:26 PM 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/22/2012 2:26 PM 4363040]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [1/19/2012 5:27 PM 909152]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [6/29/2011 7:01 AM 263056]
R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [6/29/2011 7:01 AM 1592208]
R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [6/29/2011 7:01 AM 1091984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/7/2011 6:51 AM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 17:43   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 20:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-24  20:42:36
ComboFix-quarantined-files.txt  2012-01-25 01:42
.
Pre-Run: 55,385,833,472 bytes free
Post-Run: 56,277,286,912 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 86C8BC36E13C0EB1C10E378114C5C68D

[Malware Removal Specialist]

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Here is the antirootkit log:
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A89AE000
Module End: A89C6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5B2000
Module End: BA5B4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: A8C4042C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwAssignProcessToJobObject
Address: A8C3F928
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwConnectPort
Address: A8C3E64C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: A8C45316
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateKey
Address: A8C47242
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: A8C3E46A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: A8C3FEE8
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: A8C3C978
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: A8C3C4F2
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: A8C3D634
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: A8C3DD22
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDuplicateObject
Address: A8C3E32C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwLoadDriver
Address: A8C3F350
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: A8C45694
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenProcess
Address: A8165F3C
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwOpenSection
Address: A8C3C7B4
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: A8C3D8B0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwProtectVirtualMemory
Address: A8C3F6DA
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueueApcThread
Address: A8C3FA44
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestPort
Address: A8C3ECB0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: A8C3F018
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: A8C4510E
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwResumeThread
Address: A8C3E0CE
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: A8C3E86E
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: A8C3DBCC
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: A8C400E0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwShutdownSystem
Address: A8C3F28A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: A8C3E1FE
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: A8C3DF7A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: A8C3DE40
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: A8CA2640
Driver Base: A8C98000
Driver End: A8CBA000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

Function Name: ZwTerminateThread
Address: A8166080
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwUnloadDriver
Address: A8C3F518
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: A816611C
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

[Malware Removal Specialist]

How's your computer working now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

At this point, I'm not seeing much of any change, my google homepage is still going to UK, Latvia, or maybe someother 10 lettter name, despite the google homepage on my internet options page.  when entering site addresses from my regular homepage, which does come up if I select it on the favorites list, I'm redirected to an 'Ask the crew' site and not where I want to go.  I'm downloading the ESET on line scanner and will post the log when I'm done.  I don't see the 'ask' toolbar on my screen and can't find any mention of it in the add remove programs page.

I ran the eset and it found two threats, both trojans, and cleaned them. I couldn't find the first log(sorry) so I ran it again this time it didn't find anything.  In the meantime I found the first log and post it here.  After disinfection, I'm still being redirected and hijacked when I enter in an address on my homepage.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3fb132dba621784f9af12f29bfd21ebe
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-01-26 11:50:58
# local_time=2012-01-26 06:50:58 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 18744783 18744783 0 0
# compatibility_mode=1024 16777175 100 0 10194265 10194265 0 0
# compatibility_mode=6401 16777213 66 100 0 6531006 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=97723
# found=2
# cleaned=2
# scan_time=4022
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\29c85f\71.mof.vir   Win32/RogueAV.A trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177\A0052181.mof   Win32/RogueAV.A trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251

[Malware Removal Specialist]

* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.

Look through the list and let me know if anything was found infected.
*********************************************************
Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

The mrt.exe scan found no infections.  Did the AVP from Kaspersky it also found no threats. Posted the log, only the top part as you asked, the whole thing says OK down through it.  Things seem to be okay now, for the moment, I'm not being redirected anywhere and all seems okay. Wait and see seems to be the path to follow, so unless you have anything else and nothing happens over the weekend, I'll update Monday and hope for the best.  I'll continue to run scans AVG, SAS, MBAM etc. check hijackthis.
Automatic Scan: completed 4 minutes ago   (events: 326806, objects: 327327, time: 02:31:06)   
1/27/2012 10:00:59 PM   Task completed         
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll   Object was not changed (iChecker)   
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll   Object was not changed (iChecker)   
1/27/2012 10:00:57 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll   Object was not changed (iChecker)   
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GdiPlus.dll   Object was not changed (iChecker)   
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll   Object was not changed (iChecker)   
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll   Object was not changed (iChecker)   
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll   Object was not changed (iChecker)   
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll   Object was not changed (iChecker)   
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll   Object was not changed (iChecker)   
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll   Object was not changed (iChecker)   
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll   Object was not changed (iChecker)   
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcirt.dll   Object was not changed (iChecker)   
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll   Object was not changed (iChecker)

[Malware Removal Specialist]

I'll update Monday and hope for the best.  I'll continue to run scans AVG, SAS, MBAM

That sounds like a good idea. I'll watch for your post.

Alas, the problem persists.  Internet searches reveal that this seems to be a rogue trojan that is hard for anti virus and malware scanners to pick up.  I'm still being redirected alot of the time.  I'll scan everything again with updated everything I've got and see what happens.  This process takes 5-6 hours.

[Malware Removal Specialist]

Please update and run another scan with SAS and post the log.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

Thank you for your patience...here are the two logs: SAS was updated and immedeiately scanned, then I did the aswmbr scan.  I haven't touched anything yet.  Two things on the aswmbr scan- 19:34:59.421 is yellow and 19:35:05.375 ntkrnlpa...is red.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2012 at 06:51 PM

Application Version : 5.0.1142

Core Rules Database Version : 8182
Trace Rules Database Version: 5994

Scan type       : Complete Scan
Total Scan Time : 00:44:33

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 406
Memory threats detected   : 0
Registry items scanned    : 24127
Registry threats detected : 0
File items scanned        : 94825
File threats detected     : 0

MBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 19:24:08
-----------------------------
19:24:08.234    OS Version: Windows 5.1.2600 Service Pack 3
19:24:08.234    Number of processors: 2 586 0x403
19:24:08.234    ComputerName: D7SXQY91  UserName: Earl
19:24:17.750    Initialize success
19:34:40.781    AVAST engine defs: 12013000
19:34:44.656    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
19:34:44.656    Disk 0 Vendor: ST3808110AS 3.ADH Size: 76293MB BusType: 3
19:34:44.671    Disk 0 MBR read successfully
19:34:44.671    Disk 0 MBR scan
19:34:44.703    Disk 0 unknown MBR code
19:34:44.703    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       39 MB offset 63
19:34:44.718    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        72990 MB offset 80325
19:34:44.750    Disk 0 Partition 3 00     DB  CP/M / CTOS Dell 8.0     3255 MB offset 149565150
19:34:44.781    Disk 0 scanning sectors +156232125
19:34:44.890    Disk 0 scanning C:\WINDOWS\system32\drivers
19:34:59.093    Service scanning
19:34:59.421    Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
19:35:00.296    Modules scanning
19:35:05.343    Disk 0 trace - called modules:
19:35:05.375    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8af9dfa9]<<
19:35:05.375    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b079ab8]
19:35:05.375    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b0afd98]
19:35:05.781    AVAST engine scan C:\WINDOWS
19:35:10.718    AVAST engine scan C:\WINDOWS\system32
19:37:41.890    AVAST engine scan C:\WINDOWS\system32\drivers
19:37:57.562    AVAST engine scan C:\Documents and Settings\Earl
19:40:00.296    AVAST engine scan C:\Documents and Settings\All Users
19:41:12.703    Scan finished successfully
19:53:51.750    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Earl\Desktop\MBR.dat"
19:53:51.812    The log file has been saved successfully to "C:\Documents and Settings\Earl\

[Malware Removal Specialist]

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

MBR log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:         
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000000d

Kernel Drivers (total 140):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806E5000 \WINDOWS\system32\hal.dll
  0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
  0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
  0xB9F79000 ACPI.sys
  0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xB9F68000 pci.sys
  0xBA0A8000 isapnp.sys
  0xBA670000 pciide.sys
  0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xBA5AC000 intelide.sys
  0xBA0B8000 MountMgr.sys
  0xB9F49000 ftdisk.sys
  0xBA330000 PartMgr.sys
  0xBA0C8000 VolSnap.sys
  0xB9F31000 atapi.sys
  0xBA0D8000 disk.sys
  0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xB9F11000 fltmgr.sys
  0xB9EFF000 sr.sys
  0xBA338000 PxHelp20.sys
  0xB9EE8000 KSecDD.sys
  0xB9E5B000 Ntfs.sys
  0xB9E2E000 NDIS.sys
  0xBA340000 speedfan.sys
  0xB9E14000 Mup.sys
  0xBA671000 giveio.sys
  0xBA348000 avgrkx86.sys
  0xBA4BC000 AVGIDSEH.Sys
  0xBA2D8000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xB9747000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
  0xB9733000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xB970B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xBA420000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xB96E7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xBA428000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xB96B3000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
  0xB9690000 \SystemRoot\system32\DRIVERS\ks.sys
  0xB9591000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
  0xB94EA000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
  0xBA430000 \SystemRoot\System32\Drivers\Modem.SYS
  0xB94C4000 \SystemRoot\system32\DRIVERS\e100b325.sys
  0xBA438000 \SystemRoot\system32\DRIVERS\fdc.sys
  0xBA2E8000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xBA2F8000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xBA308000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xBA7A7000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xBA440000 \SystemRoot\system32\DRIVERS\rasirda.sys
  0xBA448000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xBA318000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xB9DDF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xB94AD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xBA108000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xBA118000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xBA450000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xBA458000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xBA128000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xBA460000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xBA468000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xB944F000 \SystemRoot\system32\DRIVERS\update.sys
  0xB9DDB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xB9421000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
  0xBA138000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xB986C000 \SystemRoot\system32\drivers\MODEMCSA.sys
  0xA920E000 \SystemRoot\system32\drivers\sthda.sys
  0xA91EA000 \SystemRoot\system32\drivers\portcls.sys
  0xBA168000 \SystemRoot\system32\drivers\drmk.sys
  0xBA188000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xBA5DC000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xBA488000 \SystemRoot\system32\DRIVERS\flpydisk.sys
  0xBA590000 \SystemRoot\System32\Drivers\i2omgmt.SYS
  0xBA1D8000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
  0xBA60C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xBA68A000 \SystemRoot\System32\Drivers\Null.SYS
  0xBA60E000 \SystemRoot\System32\Drivers\Beep.SYS
  0xBA498000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xBA4A0000 \SystemRoot\System32\drivers\vga.sys
  0xBA610000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xBA612000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xBA4A8000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xBA4B0000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xB93DA000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xBA358000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
  0xA90EF000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xBA1F8000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xA9096000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xBA208000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
  0xA904F000 \SystemRoot\system32\DRIVERS\avgtdix.sys
  0xA9001000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xA8FD9000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xBA57C000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xA8FB7000 \SystemRoot\System32\drivers\afd.sys
  0xBA268000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xA8F95000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
  0xBA3C0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
  0xA8F6A000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xBA588000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
  0xBA288000 \??\C:\WINDOWS\system32\drivers\oahlp32.sys
  0xA8F39000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
  0xA8EC9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xBA298000 \SystemRoot\System32\Drivers\Fips.SYS
  0xA8DF2000 \SystemRoot\system32\DRIVERS\avgldx86.sys
  0xA9043000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xBA1E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xBA408000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xA903B000 \SystemRoot\system32\DRIVERS\usbscan.sys
  0xBA478000 \SystemRoot\system32\DRIVERS\usbprint.sys
  0xA9037000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0xA8D63000 \SystemRoot\system32\drivers\wisgostrm.sys
  0xB9868000 \SystemRoot\system32\DRIVERS\kbdhid.sys
  0xBA178000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xA8CAB000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xBA5EE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA8D43000 \SystemRoot\System32\drivers\Dxapi.sys
  0xBA3F0000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xBA688000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF021000 \SystemRoot\System32\ialmdnt5.dll
  0xBF012000 \SystemRoot\System32\ialmrnt5.dll
  0xBF043000 \SystemRoot\System32\ialmdev5.DLL
  0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
  0xBF16E000 \SystemRoot\System32\ATMFD.DLL
  0xA8AB5000 \SystemRoot\system32\DRIVERS\irda.sys
  0xA8B4F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xA8889000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xA875C000 \SystemRoot\system32\drivers\wdmaud.sys
  0xA88D5000 \SystemRoot\system32\drivers\sysaudio.sys
  0xA84DF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xBA630000 \SystemRoot\System32\Drivers\ASCTRM.SYS
  0xA8520000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
  0xA8558000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xA836F000 \SystemRoot\system32\DRIVERS\srv.sys
  0xA8C9B000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
  0xA8237000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
  0xA7EAE000 \SystemRoot\System32\Drivers\HTTP.sys
  0xA7A55000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
       0 System Idle Process
       4 System
     496 C:\WINDOWS\system32\smss.exe
     528 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
     560 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
     752 csrss.exe
     776 C:\WINDOWS\system32\winlogon.exe
     836 C:\WINDOWS\system32\services.exe
     848 C:\WINDOWS\system32\lsass.exe
    1020 C:\WINDOWS\system32\svchost.exe
    1068 svchost.exe
    1148 C:\WINDOWS\system32\svchost.exe
    1272 svchost.exe
    1308 svchost.exe
    1400 C:\Program Files\Online Armor\oacat.exe
    1516 C:\Program Files\Online Armor\oasrv.exe
    1668 C:\WINDOWS\explorer.exe
    1912 C:\WINDOWS\system32\spoolsv.exe
    1796 svchost.exe
     144 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    1508 C:\WINDOWS\system32\svchost.exe
    2176 wdfmgr.exe
    2472 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    2756 C:\Program Files\AVG\AVG2012\avgnsx.exe
    2836 C:\Program Files\AVG\AVG2012\avgemcx.exe
    3460 alg.exe
    3852 C:\Program Files\AVG\AVG2012\avgtray.exe
    4000 C:\Program Files\Online Armor\oaui.exe
    2884 C:\Program Files\Online Armor\oahlp.exe
    2648 C:\WINDOWS\system32\wuauclt.exe
    2448 C:\Program Files\Internet Explorer\iexplore.exe
    3308 C:\Program Files\Internet Explorer\iexplore.exe
    5384 C:\Documents and Settings\Earl\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00  (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH   

      Size  Device Name          MBR Status
  --------------------------------------------
     74 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: BF118E4CFC2D7C7489A85AC7AD11D2A979F7482 4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
  [1] Dump the MBR of a physical disk to file.
  [2] Restore the MBR of a physical disk with a standard boot code.
  [3] Exit.

Enter your choice:

Done!

[Malware Removal Specialist]

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)





When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter



Next type FIXMBR

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

It's absolutely amazing... no redirections at all! I'm going to try a few of the sites this evening, thank you thank you, I'll let you know.

Well that lasted about 20 minutes.  Back where we started.  UK, latvia, Spain...

[Malware Removal Specialist]

Please run MBRCheck.exe again and post the log.

Here is the aswMBR log:
17:26:26.656 is yellow and 17:26:32.015 is red.
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-01 16:51:05
-----------------------------
16:51:05.312    OS Version: Windows 5.1.2600 Service Pack 3
16:51:05.312    Number of processors: 2 586 0x403
16:51:05.312    ComputerName: D7SXQY91  UserName: Earl
16:51:05.625    Initialize success
17:00:43.890    AVAST engine defs: 12020100
17:26:14.093    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:26:14.093    Disk 0 Vendor: ST3808110AS 3.ADH Size: 76293MB BusType: 3
17:26:14.109    Disk 0 MBR read successfully
17:26:14.109    Disk 0 MBR scan
17:26:14.171    Disk 0 Windows XP default MBR code
17:26:14.171    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       39 MB offset 63
17:26:14.203    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        72990 MB offset 80325
17:26:14.218    Disk 0 Partition 3 00     DB  CP/M / CTOS Dell 8.0     3255 MB offset 149565150
17:26:14.234    Disk 0 scanning sectors +156232125
17:26:14.296    Disk 0 scanning C:\WINDOWS\system32\drivers
17:26:26.390    Service scanning
17:26:26.656    Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
17:26:27.453    Modules scanning
17:26:31.968    Disk 0 trace - called modules:
17:26:32.015    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8ad9a6d9]<<
17:26:32.015    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b09eab8]
17:26:32.015    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b085d98]
17:26:32.250    AVAST engine scan C:\WINDOWS
17:26:39.515    AVAST engine scan C:\WINDOWS\system32
17:29:14.718    AVAST engine scan C:\WINDOWS\system32\drivers
17:29:30.359    AVAST engine scan C:\Documents and Settings\Earl
17:33:18.328    AVAST engine scan C:\Documents and Settings\All Users
17:35:10.703    Scan finished successfully
17:35:42.359    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Earl\Desktop\MBR.dat"
17:35:42.359    The log file has been saved successfully to "C:\Documents and Settings\Earl\Desktop\aswMBR1.txt"

[Malware Removal Specialist]

Please run the MBR check in Reply # 24

Okay, how's this..
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:         
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000000d

Kernel Drivers (total 140):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806E5000 \WINDOWS\system32\hal.dll
  0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
  0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
  0xB9F79000 ACPI.sys
  0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xB9F68000 pci.sys
  0xBA0A8000 isapnp.sys
  0xBA670000 pciide.sys
  0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xBA5AC000 intelide.sys
  0xBA0B8000 MountMgr.sys
  0xB9F49000 ftdisk.sys
  0xBA330000 PartMgr.sys
  0xBA0C8000 VolSnap.sys
  0xB9F31000 atapi.sys
  0xBA0D8000 disk.sys
  0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xB9F11000 fltmgr.sys
  0xB9EFF000 sr.sys
  0xBA338000 PxHelp20.sys
  0xB9EE8000 KSecDD.sys
  0xB9E5B000 Ntfs.sys
  0xB9E2E000 NDIS.sys
  0xBA340000 speedfan.sys
  0xB9E14000 Mup.sys
  0xBA671000 giveio.sys
  0xBA348000 avgrkx86.sys
  0xBA4BC000 AVGIDSEH.Sys
  0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xB96CD000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
  0xB96B9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xB9691000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xBA418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xB966D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xB9639000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
  0xB9616000 \SystemRoot\system32\DRIVERS\ks.sys
  0xB9517000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
  0xB9470000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
  0xBA428000 \SystemRoot\System32\Drivers\Modem.SYS
  0xB944A000 \SystemRoot\system32\DRIVERS\e100b325.sys
  0xBA430000 \SystemRoot\system32\DRIVERS\fdc.sys
  0xBA2A8000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xBA2B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xBA2C8000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xBA761000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xBA438000 \SystemRoot\system32\DRIVERS\rasirda.sys
  0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xBA2D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xB9433000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xBA2E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xBA2F8000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xBA308000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xBA458000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xBA5D2000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xB93D5000 \SystemRoot\system32\DRIVERS\update.sys
  0xBA5A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xB93A7000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
  0xBA318000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xBA57C000 \SystemRoot\system32\drivers\MODEMCSA.sys
  0xA8F79000 \SystemRoot\system32\drivers\sthda.sys
  0xA8F55000 \SystemRoot\system32\drivers\portcls.sys
  0xBA188000 \SystemRoot\system32\drivers\drmk.sys
  0xBA158000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xBA616000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xBA498000 \SystemRoot\system32\DRIVERS\flpydisk.sys
  0xB9155000 \SystemRoot\System32\Drivers\i2omgmt.SYS
  0xBA198000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
  0xBA61A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xBA7CB000 \SystemRoot\System32\Drivers\Null.SYS
  0xBA61C000 \SystemRoot\System32\Drivers\Beep.SYS
  0xBA4A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xBA3D0000 \SystemRoot\System32\drivers\vga.sys
  0xA8E8D000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xBA208000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xBA662000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xBA664000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xBA3D8000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xBA3E0000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xBA588000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xBA3E8000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
  0xA8E5A000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xA8E01000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xBA228000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
  0xA8DBA000 \SystemRoot\system32\DRIVERS\avgtdix.sys
  0xA8D6C000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xA8D44000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xB9149000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xA8D22000 \SystemRoot\System32\drivers\afd.sys
  0xBA238000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xA8D00000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
  0xBA3F0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
  0xA8CD5000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xB980A000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
  0xBA258000 \??\C:\WINDOWS\system32\drivers\oahlp32.sys
  0xA8CA4000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
  0xA8C34000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
  0xBA3F8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xA8B5D000 \SystemRoot\system32\DRIVERS\avgldx86.sys
  0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xB97EA000 \SystemRoot\system32\DRIVERS\usbscan.sys
  0xBA358000 \SystemRoot\system32\DRIVERS\usbprint.sys
  0xBA558000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0xA8ACE000 \SystemRoot\system32\drivers\wisgostrm.sys
  0xBA568000 \SystemRoot\system32\DRIVERS\kbdhid.sys
  0xA8EE5000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xA8A16000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xBA650000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA8A4E000 \SystemRoot\System32\drivers\Dxapi.sys
  0xBA3C0000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xBA7B7000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF021000 \SystemRoot\System32\ialmdnt5.dll
  0xBF012000 \SystemRoot\System32\ialmrnt5.dll
  0xBF043000 \SystemRoot\System32\ialmdev5.DLL
  0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
  0xBF16E000 \SystemRoot\System32\ATMFD.DLL
  0xA8820000 \SystemRoot\system32\DRIVERS\irda.sys
  0xA899E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xA85F4000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xA849F000 \SystemRoot\system32\drivers\wdmaud.sys
  0xA8688000 \SystemRoot\system32\drivers\sysaudio.sys
  0xA824C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xBA5B2000 \SystemRoot\System32\Drivers\ASCTRM.SYS
  0xA84B8000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
  0xA8228000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xA81A4000 \SystemRoot\system32\DRIVERS\srv.sys
  0xBA390000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
  0xA8044000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
  0xA7C6B000 \SystemRoot\System32\Drivers\HTTP.sys
  0xA7379000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
       0 System Idle Process
       4 System
     512 C:\WINDOWS\system32\smss.exe
     544 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
     576 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
     780 csrss.exe
     812 C:\WINDOWS\system32\winlogon.exe
     856 C:\WINDOWS\system32\services.exe
     868 C:\WINDOWS\system32\lsass.exe
    1044 C:\WINDOWS\system32\svchost.exe
    1092 svchost.exe
    1172 C:\WINDOWS\system32\svchost.exe
    1300 svchost.exe
    1348 svchost.exe
    1672 C:\WINDOWS\explorer.exe
    1748 C:\Program Files\Online Armor\oacat.exe
    1780 C:\Program Files\Online Armor\oasrv.exe
     748 C:\WINDOWS\system32\spoolsv.exe
    2112 svchost.exe
    2344 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    2852 C:\WINDOWS\system32\svchost.exe
    3164 wdfmgr.exe
    3376 C:\WINDOWS\system32\wuauclt.exe
    3512 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    3788 C:\Program Files\AVG\AVG2012\avgnsx.exe
    3880 C:\Program Files\AVG\AVG2012\avgemcx.exe
    2588 alg.exe
    3276 C:\Program Files\AVG\AVG2012\avgtray.exe
    3340 C:\Program Files\Online Armor\oaui.exe
    4076 C:\Program Files\Online Armor\oahlp.exe
    2176 C:\WINDOWS\system32\svchost.exe
    1744 wmiprvse.exe
    4200 C:\Program Files\Internet Explorer\iexplore.exe
    4296 C:\Program Files\Internet Explorer\iexplore.exe
    5256 C:\Program Files\Internet Explorer\iexplore.exe
    5532 C:\Program Files\Internet Explorer\iexplore.exe
    2572 C:\Program Files\AVG\AVG2012\avgmfapx.exe
    2388 C:\Documents and Settings\Earl\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00  (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH   

      Size  Device Name          MBR Status
  --------------------------------------------
     74 GB  \\.\PhysicalDrive0   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A


Done!

[Malware Removal Specialist]

Now that the MBR code is repaired please update and run scans with SAS and MBAM and post the logs.

Updated and ran SAS, then MBAM
Administrator

Memory items scanned      : 403
Memory threats detected   : 0
Registry items scanned    : 35444
Registry threats detected : 1
File items scanned        : 96553
File threats detected     : 51

Adware.SelectRebates
   C:\Program Files\SELECTREBATES\FFToolbar\chrome\sahtoolbar.jar
   C:\Program Files\SELECTREBATES\FFToolbar\chrome
   C:\Program Files\SELECTREBATES\FFToolbar\chrome.manifest
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences\sahtoolbar.js
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences
   C:\Program Files\SELECTREBATES\FFToolbar\defaults
   C:\Program Files\SELECTREBATES\FFToolbar\install.rdf
   C:\Program Files\SELECTREBATES\FFToolbar
   C:\Program Files\SELECTREBATES\SahImages\alert.png
   C:\Program Files\SELECTREBATES\SahImages\check.png
   C:\Program Files\SELECTREBATES\SahImages\close.png
   C:\Program Files\SELECTREBATES\SahImages
   C:\Program Files\SELECTREBATES\SelectAlerts.dat
   C:\Program Files\SELECTREBATES\SelectRebates.exe
   C:\Program Files\SELECTREBATES\SelectRebates.ini
   C:\Program Files\SELECTREBATES\SelectRebatesA.dat
   C:\Program Files\SELECTREBATES\SelectRebatesApi.exe
   C:\Program Files\SELECTREBATES\SelectRebatesB.dat
   C:\Program Files\SELECTREBATES\SelectRebatesBT.dat
   C:\Program Files\SELECTREBATES\SelectRebatesDownload.exe
   C:\Program Files\SELECTREBATES\SelectRebatesUninstall.exe
   C:\Program Files\SELECTREBATES\SRebates.dll
   C:\Program Files\SELECTREBATES\SRFF3.dll
   C:\Program Files\SELECTREBATES\Toolbar\AddtoList.bmp
   C:\Program Files\SELECTREBATES\Toolbar\basis.xml
   C:\Program Files\SELECTREBATES\Toolbar\Basis.xml.dym
   C:\Program Files\SELECTREBATES\Toolbar\Blank.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Cache
   C:\Program Files\SELECTREBATES\Toolbar\CashBack.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Coupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\GroceryCoupon.bmp
   C:\Program Files\SELECTREBATES\Toolbar\icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ImageCache
   C:\Program Files\SELECTREBATES\Toolbar\i_magnifying.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_24.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_HotSpots.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ReviewSite.bmp
   C:\Program Files\SELECTREBATES\Toolbar\RightControls.dym
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-alert.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-go.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-grocerycoupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-restaurant.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-wishlist.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Scissors.bmp
   C:\Program Files\SELECTREBATES\Toolbar
   C:\Program Files\SELECTREBATES
   C:\WINDOWS\Prefetch\SELECTREBATES.EXE-072AFA89.pf
   C:\WINDOWS\Prefetch\SELECTREBATESDOWNLOAD.EXE-053B5128.pf

Adware.ShopAtHomeSelect
   HKU\S-1-5-21-2856773612-2364928292-2262524725-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.CouponBar
   C:\WINDOWS\SYSTEM32\CPNPRT2.CID
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Earl :: D7SXQY91 [administrator]

2/3/2012 6:11:17 PM
mbam-log-2012-02-03 (18-11-17).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 270947
Time elapsed: 37 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0

[Malware Removal Specialist]

Thanks. How's your computer working now?

No real change.  this thing continues to make an appearance at random times.  You know, this computer isn't that far out of the box, it doesn't have any photos, files of any major concern, or anything that I can't afford to lose.  I have a WD backup that's been off now for 2 months so I know it's clean and it has got anything I might need on it.  This dell has the "out of the box" option which will wipe the HD clean except the Windows XP I think. I've got to go back in and read about it again.  I used it when I inherited it to begin with.  I'm now begining to think this might be the final solution.  If I wipe this clean and start it "right out of the box", except for the OS, will the malware/virus survive?  does it hide there, amoung other places?  You are welcome to try a few other things, and I have plenty of time to do them.  But like I said, I don't depend on this machine every day for anything.

[Malware Removal Specialist]

If you nothing to lose doing a Recovery would be the best option.

Okay, I'll give it a try... thanks

[Malware Removal Specialist]

Okay, I'll give it a try... thanks

Please let me know the results.

Dave,
  I wiped the drive and upgraded to Windows 7.  Reinstalled AVG, MBAM, SAS, Online armor.  Everything normal, "been a week now, ain't been sick once."  Thanks, now that  have a disk, it'll be easier next time. 

[Malware Removal Specialist]

Dave,
  I wiped the drive and upgraded to Windows 7.  Reinstalled AVG, MBAM, SAS, Online armor.  Everything normal, "been a week now, ain't been sick once."  Thanks, now that  have a disk, it'll be easier next time.

You're welcome. You'll be happy with Windows 7. I will lock this thread. If you need it re-opened, please send me a pm.