Infected Computer

I mentioned to a friend that my computer was so infected that it was difficult to use.  It frequently freezes when trying to load web pages, programs run slowly, etc.  It has gotten progressively worse and is now to the point where it is frustrating and difficult to use for the most simple tasks. 

I'm in the process of following the malware removal help post and have made it through the step of running Super Anti Spyware.  The instructions say to post the scan log, so here I go. 

Thank you in advance of any help you can provide!

Curtis

[attachment deleted by admin]

add all the logs to your first post i'll remove this when your finished

[Malware Removal Specialist]

Please copy and paste your logs instead of attaching them. It's much easier to read.

Hey, I can help you with this, it's most probably not your computer being infected, but could possibly be. It can be sorted out with a utility program which will check your computer for errors and if you do not have a virus scan I can recommend a good free one.

All I ask in return is a thanks if the problem is solved, as I would like to get my rep up!

Hey, I can help you with this, it's most probably not your computer being infected, but could possibly be. It can be sorted out with a utility program which will check your computer for errors and if you do not have a virus scan I can recommend a good free one.

All I ask in return is a thanks if the problem is solved, as I would like to get my rep up!

superdave is working with cking137 , please do not try to help as well it will only confuse , and asking for thanks is not a very nice thing to do just to get your figures up , you will be thanked if you earn it

The SuperAntiSpyware log is:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/01/2009 at 09:56 AM

Application Version : 4.29.1002

Core Rules Database Version : 4137
Trace Rules Database Version: 2069

Scan type       : Complete Scan
Total Scan Time : 08:59:13

Memory items scanned      : 364
Memory threats detected   : 0
Registry items scanned    : 4680
Registry threats detected : 33
File items scanned        : 136469
File threats detected     : 257

Adware.AdSponsor/ISM
   HKLM\Software\Classes\CLSID\{17BFCF1A-B579-48a7-9849-719DDD11D340}
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}\Implemented Categories
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}\InprocServer32
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}\InprocServer32#ThreadingModel
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}\ProgID
   HKCR\CLSID\{17BFCF1A-B579-48A7-9849-719DDD11D340}\VersionIndependentProgID
   HKCR\GrandBar.Band.1
   HKCR\GrandBar.Band
   C:\PROGRAM FILES\GRANDPACK\GRANDPACK2.DLL
   HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{17BFCF1A-B579-48a7-9849-719DDD11D340}

Adware.Vundo Variant
   HKLM\Software\Classes\CLSID\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}
   HKCR\CLSID\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}
   HKCR\CLSID\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}\InprocServer32
   HKCR\CLSID\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\TUVUSTT.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}
   HKCR\CLSID\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}

Trojan.WinFixer
   HKLM\Software\Classes\CLSID\{870C2829-88AB-4606-8C23-0A98795126B3}
   HKCR\CLSID\{870C2829-88AB-4606-8C23-0A98795126B3}
   HKCR\CLSID\{870C2829-88AB-4606-8C23-0A98795126B3}\InprocServer32
   HKCR\CLSID\{870C2829-88AB-4606-8C23-0A98795126B3}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\SSQRO.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{870C2829-88AB-4606-8C23-0A98795126B3}
   HKU\S-1-5-21-2367804977-3653976795-2492523613-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{870C2829-88AB-4606-8C23-0A98795126B3}

Adware.Tracking Cookie
   C:\Documents and Settings\Friends\Cookies\friends@content.yieldmanager[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@doubleclick[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@atdmt[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@a1.interclick[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@a1.interclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ad.doubleclick[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.bridgetrack[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.lucidmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.nba[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.pointroll[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.pointroll[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.verticalscope[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.widgetbucks[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@adserver.adtechus[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@adultfriendfinder[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@adultfriendfinder[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@apmebf[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@apmebf[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@at.atwola[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@at.atwola[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@atwola[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@cache.trafficmp[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@cdn4.specificclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@chitika[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@cms.trafficmp[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@collective-media[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@content.yieldmanager[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@content.yieldmanager[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@content.yieldmanager[3].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@counter15.sextracker[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@delivery.trafficjunky[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@eyewonder[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@hearstugo.112.2o7[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@iacas.adbureau[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@icebanner[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@imrworldwide[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@insightexpressai[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@insightexpressai[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@interclick[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@interclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@invitemedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@invitemedia[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media.brandreachsys[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media.photobucket[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media.photobucket[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media6degrees[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media6degrees[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@myroitracking[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@network.realmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@oasn04.247realmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@oasn04.247realmedia[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@optimize.indieclick[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@optimize.indieclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ordie.adbureau[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@pornhub[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@richmedia.yahoo[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@sexmultiplex[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@sixapart.adbureau[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@socialmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@socialmedia[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@specificclick[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@specificclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@specificmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@specificmedia[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@statcounter[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@statcounter[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@super.kitnmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@thestreet.112.2o7[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@vogelbanner575[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@www.blogbannerexchange[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@www.burstbeacon[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@www.burstnet[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@www.pornhub[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@www.sexmultiplex[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@xiti[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@xxxblackbook[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@dalenetwork.directtrack[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@directtrack[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@6144.9907793-searchingmax.com.clickshield[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@6145.45.clickshield[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@6149.av1.clickshield[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@6149.red2.clickshield[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@6403.kliktraffic.blueseek[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ad.zanox[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adecn[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adfarm1.adition[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adlegend[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adopt.specificclick[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.adap[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.addynamix[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.admanage[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.bootcampmedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.bridgetrack[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.doubleagent[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.imarketservices[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.lucidmedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.pointroll[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.realtechnetwork[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.redorbit[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.specificmedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.traffic-o-rama[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.us.e-planning[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads.widgetbucks[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ads2.drivelinemedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adserve.gossipgirls[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adserver.adtechus[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adserver.easyad[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adserving.contextualmarketplace[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adservr[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@adultadworld[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@advertising.ezanga[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@aff.primaryads[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@airtrafficcontrolequipment[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@apmebf[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@at.atwola[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@atwola[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@avgtechnologies.112.2o7[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@azjmp[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@bet.burstnet[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@blockedclick[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@bootcampmedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@bridge2.admarketplace[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@cache.trafficmp[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@cdn4.specificclick[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@cgm.adbureau[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@chitika[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@clickarrows[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@clickbooth[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@clicksmart[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@clickthrough.kanoodle[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@collective-media[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@content.yieldmanager[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@content.yieldmanager[3].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@contractors.clicksmart[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@counter.hitslink[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@crackle[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@dc.tremormedia[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@directtrack[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@dr.findlinks[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@drivelinemedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@dynamic.media.adrevolver[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ehg-lattelove.hitbox[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ehg-players.hitbox[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ehg-ripedigitalentertainment.hitbox[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ehg-traderelectronicmedia.hitbox[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@ehg.hitbox[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@exitexchange[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@exitexchange[3].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@exittracking[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@finditquick[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@googl-stats[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@googl-stats[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@hornymatches[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@imediablast[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@imrworldwide[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@incentaclick[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@insightexpressai[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@interclick[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@invitemedia[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@kelleybluebook.112.2o7[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@kontera[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@login.revenueloop[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@lulu.112.2o7[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@lynxtrack[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@media6degrees[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@mediatraffic[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@myroitracking[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@oasn04.247realmedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@partner.finditquick[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@primetrafficsite[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@prosecurityclicks[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@redirect.clickshield[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@redorbit[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@revenuehit[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@richmedia.yahoo[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@rotator.dex.adjuggler[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@rotator.its.adjuggler[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@sales.liveperson[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@sales.liveperson[3].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@servedby.onlinemediadiva[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@server.iad.liveperson[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@server.iad.liveperson[3].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@serving.adsrevenue.clicksor[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@serw.clicksor[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@sexandsubmission[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@specificclick[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@specificmedia[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@stats.adbrite[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@stopzilla[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@surfaccuracy[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@technoratimedia[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@thunderbolt.adjuggler[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@toseeka[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@trafficmp[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@videoegg.adbureau[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@waterfrontmedia.112.2o7[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@windowsmedia[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.adtrak[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.advertising365[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.advertyz[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.burstbeacon[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.burstnet[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.clicksmart[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.ebannerz[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.findit-quick[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.findstuff[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.goaltraffic[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.halstats[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.icityfind[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.incentaclick[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.jackpotmadness[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.mediatraffic[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.pro-advertise[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.riverbelle[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.search4clicks[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.sexandsubmission[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.stopzilla[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@www.toseeka[1].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@xml.trafficengine[2].txt
   C:\Documents and Settings\TwoFour\Cookies\twofour@yx0banners[2].txt

Trojan.ZenoSearch
   C:\WINDOWS\system32\msnav32.ax

Adware.Adservs
   C:\WINDOWS\system32\atmtd.dll._

Adware.Web Buying
   HKU\.DEFAULT\Software\WebBuying
   HKU\S-1-5-18\Software\WebBuying

Adware.Unclassified/Spruce
   HKU\.DEFAULT\Software\Spruce
   HKU\S-1-5-18\Software\Spruce

RootKit.TnCore/Trace
   C:\WINDOWS\system32\drivers\core.cache.dsk

Rogue.Installer/Trace
   C:\WINDOWS\Spyware Remover.ico
   C:\WINDOWS\Casino.ico
   C:\WINDOWS\Free Online Dating.ico

Adware.JavaCore/NoDNS
   C:\WINDOWS\system32\cs.dat
   C:\WINDOWS\system32\ps1.dat
   C:\WINDOWS\system32\rc.dat

Rogue.Component/Trace
   HKLM\Software\Microsoft\2C64EE46
   HKLM\Software\Microsoft\2C64EE46#2c64ee46
   HKLM\Software\Microsoft\2C64EE46#Version
   HKLM\Software\Microsoft\2C64EE46#2c6443c6
   HKLM\Software\Microsoft\2C64EE46#2c642a23

Adware.k8l
   C:\DOCUMENTS AND SETTINGS\TWOFOUR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\LQ2DGQ97\ACTDKPUBID72[1].HTM
   C:\PROGRAM FILES\WINDOWS NT\CEVEPRU.HTML

Adware.Vundo/Variant-Trace
   C:\WINDOWS\SYSTEM32\ACRSMNNP.INI
   C:\WINDOWS\SYSTEM32\AWTXKKVN.INI
   C:\WINDOWS\SYSTEM32\BVJLEEXN.INI
   C:\WINDOWS\SYSTEM32\DHFAIGCM.INI
   C:\WINDOWS\SYSTEM32\EBTXLMNG.INI
   C:\WINDOWS\SYSTEM32\FKBVIRYM.INI
   C:\WINDOWS\SYSTEM32\FXMTWLIC.INI
   C:\WINDOWS\SYSTEM32\GKNNERUE.INI
   C:\WINDOWS\SYSTEM32\QMJWWVEH.INI
   C:\WINDOWS\SYSTEM32\QUHMILII.INI
   C:\WINDOWS\SYSTEM32\TKUYMMFE.INI
   C:\WINDOWS\SYSTEM32\UULPTJPV.INI
   C:\WINDOWS\SYSTEM32\VWSHPELN.INI

Trojan.Agent/Gen-<NAME>
   C:\WINDOWS\SYSTEM32\DLLCACHE\WINHELP.EXE
   C:\WINDOWS\WINHELP.EXE

Adware.Vundo Variant/Rel
   C:\WINDOWS\SYSTEM32\MCRH.TMP
   C:\WINDOWS\SYSTEM32\ORQSS.INI
   C:\WINDOWS\SYSTEM32\ORQSS.INI2

Trojan.Unknown Origin
   C:\WINDOWS\SYSTEM32\WAPIISV.EXE
   C:\WINDOWS\UNIST1.HTM

Trojan.Downloader-Gen
   C:\WINDOWS\SYSTEM32\WINPFZ32.SYS

Adware.Unknown Origin
   C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

Unclassified.Unknown Origin/System
   C:\WINDOWS\UNINST2.HTM



The Malwarebytes log post is:

Malwarebytes' Anti-Malware 1.39
Database version: 2546
Windows 5.1.2600 Service Pack 2

10/6/2009 7:08:16 PM
mbam-log-2009-10-06 (19-08-16).txt

Scan type: Quick Scan
Objects scanned: 180280
Time elapsed: 1 hour(s), 32 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 52

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinAble (Trojan.Adloader) -> Not selected for removal.

Files Infected:
c:\WINDOWS\system32\cont_globaladsolution-remove.exe (Adware.Agent) -> Not selected for removal.
C:\WINDOWS\system32\bb1.dat (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\din.ip (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\alog.txt (Stolen.data) -> Not selected for removal.
C:\WINDOWS\system32\drivers\blank.gif (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\drivers\box_2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\button_buynow.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\button_freescan.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_footer.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_header_block.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_header_remove.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_header_scan.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\download_btn.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\download_now_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\footer_back.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_1.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_3.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_4.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_free_scan.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\infected.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\main_back.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_2_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_2_name_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_features.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\pt.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\rating.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\s_detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\screenshot.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\sep_hor.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\sep_vert.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\shadow.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\shadow_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spacer.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star_gray.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star_gray_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\style.css (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\drivers\warning_icon.gif (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\drivers\win_logo.gif (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\system32\sznf.ascii (Fake.Dropped.Malware) -> Not selected for removal.
C:\WINDOWS\system32\dpqaqlqx.bin (Fake.Dropped.Malware) -> Not selected for removal.
C:\WINDOWS\system32\jpewocmz.ini (Fake.Dropped.Malware) -> Not selected for removal.

And here is the HijackThis log file.  The instructions say to give details, but I'm not sure what kind of details to give.  I got a couple errors when running the Malwarebytes program when I chose to remove the infected components.  The system would error out early on.  So I ran it again, told it not to remove the first 10, and it was able to remove all the others.  So there is something on there causing that program to bomb.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:02 AM, on 10/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0A8C4B80-A71B-453D-B016-0C1BA8FA13B0} - C:\WINDOWS\system32\ljJYSjGW.dll (file missing)
O2 - BHO: (no name) - {3A3BFC98-2747-4877-B8FC-F5A38F35F6F2} - C:\WINDOWS\system32\qoMccdbY.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {776dbb37-f521-4657-ad7d-05d6fe3a2275} - C:\WINDOWS\system32\orebfpt.dll (file missing)
O2 - BHO: (no name) - {A47EA377-C488-46B0-AAAF-92C6C4DF14DB} - C:\WINDOWS\system32\xxyXNFxw.dll (file missing)
O2 - BHO: (no name) - {BD7D3443-D5FC-4B21-9AD6-3F4FFF854CC6} - C:\WINDOWS\system32\iiffCSkL.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F2B0B442-46BA-46B6-98EC-388EF7F264AC} - C:\WINDOWS\system32\jkkKbBsR.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225251068921
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: iSecurity.cpl umqasn.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvustt - tuvustt.dll (file missing)
O21 - SSODL: ServiceCD - {79bf11d5-9b71-4097-b916-a44de24573d0} - C:\WINDOWS\Installer\{79bf11d5-9b71-4097-b916-a44de24573d0}\ServiceCD.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6123 bytes

[Malware Removal Specialist]

Hello cking137. Could you please run MBAM again to see if if will quarantine the ones that were not selected the first time. If it quarantines them, please post the log and also a new HJT log.

It bombed again when I ran the Malwarebytes.  Here are the 13 files it found infected:

C:\WINDOWS\system32\cont_globaladsolution-remove.exe
C:\WINDOWS\system32\bb1.dat
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\ipewocmz.ini

[Malware Removal Specialist]

Hello cking137. Could you try renaming MBAM.exe to something else and then run it again. Just go to your C drive, Program Files, Malwarebytes-Antimalware and rename the mbam.exe file. If that doesn't work, try running it in Safe Mode. Tap F8 while rebooting and select safe mode.

Okay, it finally worked in safe mode.  Below is the most recent log file.  Also, I'm curious if there is a way to get the service packs I don't have?  I bought my computer used from my work and they didn't give me a windows CD or anything.  So now when I try to install the updates, I get an error when it tries to install. 

Here is the log file:

Malwarebytes' Anti-Malware 1.39
Database version: 2546
Windows 5.1.2600 Service Pack 2

10/12/2009 11:23:04 PM
mbam-log-2009-10-12 (23-23-04).txt

Scan type: Quick Scan
Objects scanned: 186706
Time elapsed: 16 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cont_globaladsolution-remove.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bb1.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din.ip (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alog.txt (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\blank.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\warning_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\win_logo.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sznf.ascii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpqaqlqx.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jpewocmz.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

[Malware Removal Specialist]

Hello cking137. It looks like MBAM got those last 10 items. Can you boot in Normal mode? If so, can you run another SAS and HJT and paste the logs here? Also, run another MBAM in Normal mode. If it comes up with something else found, please paste that log also.

Here are the SAS and HJT log files:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/17/2009 at 11:45 AM

Application Version : 4.29.1004

Core Rules Database Version : 4137
Trace Rules Database Version: 2069

Scan type       : Complete Scan
Total Scan Time : 08:59:56

Memory items scanned      : 353
Memory threats detected   : 0
Registry items scanned    : 4678
Registry threats detected : 0
File items scanned        : 164352
File threats detected     : 52

Adware.Tracking Cookie
   C:\Documents and Settings\Friends\Cookies\friends@richmedia.yahoo[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@imrworldwide[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@ads.nicoclub[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@oasn04.247realmedia[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@specificmedia[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@burstbeacon[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@content.yieldmanager[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@ad.yieldmanager[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@advertising[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@media.photobucket[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@sexycelebritygallery[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@sweetnakedcelebrities[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@burstnet[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@cdn4.specificclick[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@www.burstnet[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@doubleclick[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@media6degrees[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@2o7[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@realmedia[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@vip.clickzs[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@adbrite[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@www.burstbeacon[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@chitika[2].txt
   C:\Documents and Settings\Friends\Cookies\friends@247realmedia[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@content.yieldmanager[3].txt
   C:\Documents and Settings\Friends\Cookies\friends@atdmt[1].txt
   C:\Documents and Settings\Friends\Cookies\friends@specificclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@247realmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ad.yieldmanager[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@adbrite[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.icorp[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@ads.nicoclub[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@atdmt[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@burstnet[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@cdn4.specificclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@chitika[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@content.yieldmanager[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@content.yieldmanager[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@doubleclick[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@imrworldwide[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@lfstmedia[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media.photobucket[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@media6degrees[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@oasn04.247realmedia[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@sexycelebritygallery[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@specificclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@specificmedia[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@sweetnakedcelebrities[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@vip.clickzs[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\friends@www.burstnet[1].txt

Trojan.Unknown Origin
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{65F21555-D0D4-4A18-A3DE-35FA8DD51540}\RP696\A0091013.EXE

Adware.Unknown Origin
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{65F21555-D0D4-4A18-A3DE-35FA8DD51540}\RP696\A0091015.CFG





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:35 AM, on 10/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0A8C4B80-A71B-453D-B016-0C1BA8FA13B0} - C:\WINDOWS\system32\ljJYSjGW.dll (file missing)
O2 - BHO: (no name) - {3A3BFC98-2747-4877-B8FC-F5A38F35F6F2} - C:\WINDOWS\system32\qoMccdbY.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {776dbb37-f521-4657-ad7d-05d6fe3a2275} - C:\WINDOWS\system32\orebfpt.dll (file missing)
O2 - BHO: (no name) - {A47EA377-C488-46B0-AAAF-92C6C4DF14DB} - C:\WINDOWS\system32\xxyXNFxw.dll (file missing)
O2 - BHO: (no name) - {BD7D3443-D5FC-4B21-9AD6-3F4FFF854CC6} - C:\WINDOWS\system32\iiffCSkL.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F2B0B442-46BA-46B6-98EC-388EF7F264AC} - C:\WINDOWS\system32\jkkKbBsR.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225251068921
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: iSecurity.cpl umqasn.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvustt - tuvustt.dll (file missing)
O21 - SSODL: ServiceCD - {79bf11d5-9b71-4097-b916-a44de24573d0} - C:\WINDOWS\Installer\{79bf11d5-9b71-4097-b916-a44de24573d0}\ServiceCD.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6078 bytes

[Malware Removal Specialist]

Hello cking. Were you able to run MBAM in Normal Mode?
I would like you to do this:

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

•o2 - bho: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)

•o2 - bho: (no name) - {0a8c4b80-a71b-453d-b016-0c1ba8fa13b0} - c:\windows\system32\ljjysjgw.dll (file missing)

•o2 - bho: (no name) - {3a3bfc98-2747-4877-b8fc-f5a38f35f6f2} - c:\windows\system32\qomccdby.dll (file missing)

•o2 - bho: (no name) - {776dbb37-f521-4657-ad7d-05d6fe3a2275} - c:\windows\system32\orebfpt.dll (file missing)

•o2 - bho: (no name) - {a47ea377-c488-46b0-aaaf-92c6c4df14db} - c:\windows\system32\xxyxnfxw.dll (file missing)

•o2 - bho: (no name) - {bd7d3443-d5fc-4b21-9ad6-3f4fff854cc6} - c:\windows\system32\iiffcskl.dll (file missing)

•o2 - bho: (no name) - {f2b0b442-46ba-46b6-98ec-388ef7f264ac} - c:\windows\system32\jkkkbbsr.dll (file missing)

•o3 - toolbar: (no name) - {0bf43445-2f28-4351-9252-17fe6e806aa0} - (no file)

•o20 - winlogon notify: tuvustt - tuvustt.dll (file missing)

•o21 - ssodl: servicecd - {79bf11d5-9b71-4097-b916-a44de24573d0} - c:\windows\installer\{79bf11d5-9b71-4097-b916-a44de24573d0}\servicecd.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

How is your computer running now?
Please post another HJT log after you do the above.

I did as you instructed in HJT, please see the new log file below.  The computer seems to be running a little better, but still seems slower than it should be.  I'll keep an eye on it over the next couple days and let you know how it goes.

I'm still unable to install the microsoft updates that are recommended - service packs, etc.  The computer was purchased from my work and they didn't give me the windows software.  Is there any legal way you know I could get the updates?

Thank you for all your help!
Curtis




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:55 PM, on 10/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225251068921
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: iSecurity.cpl umqasn.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5006 bytes

[Malware Removal Specialist]

Hello cking137. Could you please do this for me:

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

The computer is still running very slow over the last couple weeks.  I tried to copy some pictures from a CD to my hard drive, for example, and it was very slow to even copy the 93 picture files on the CD.  Here are the log files from Combofix and HJT:

ComboFix 09-11-03.01 - Friends 11/03/2009 19:42.1.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.510.261 [GMT -7:00]
Running from: c:\documents and settings\Friends\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1390067357-1637723038-839522115-1004
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\LkSCffii.ini
c:\windows\system32\LkSCffii.ini2
c:\windows\system32\OpYaIRqr.ini
c:\windows\system32\RsBbKkkj.ini
c:\windows\system32\RsBbKkkj.ini2
c:\windows\system32\tb.dr
c:\windows\system32\WGjSYJjl.ini
c:\windows\system32\WGjSYJjl.ini2
c:\windows\system32\wxFNXyxx.ini
c:\windows\system32\wxFNXyxx.ini2
c:\windows\system32\YbdccMoq.ini
c:\windows\system32\YbdccMoq.ini2
c:\windows\system32\z1
c:\windows\Tasks\kfejtccz.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE


(((((((((((((((((((((((((   Files Created from 2009-10-04 to 2009-11-04  )))))))))))))))))))))))))))))))
.

2009-10-10 17:29 . 2009-10-10 17:29   --------   d-----w-   c:\program files\Trend Micro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-17 08:44 . 2009-10-01 05:08   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-10-12 04:46 . 2009-08-02 16:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-10-10 17:21 . 2008-03-14 07:15   --------   d-----w-   c:\program files\Java
2009-10-01 05:09 . 2009-10-01 05:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-01 05:08 . 2009-10-01 05:08   --------   d-----w-   c:\documents and settings\Friends\Application Data\SUPERAntiSpyware.com
2009-10-01 05:08 . 2009-10-01 05:08   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-09-29 06:23 . 2009-09-29 06:23   --------   d-----w-   c:\program files\CCleaner
2009-09-26 02:17 . 2008-04-04 00:05   --------   d-----w-   c:\documents and settings\Friends\Application Data\Yahoo!
2009-09-26 02:17 . 2007-12-30 17:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-26 02:12 . 2006-07-28 19:00   --------   d-----w-   c:\program files\Common Files\InstallShield
2009-09-26 02:12 . 2006-07-28 19:00   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-08-23 16:38 . 2006-07-28 18:38   68512   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-03 03:45   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/2/2009 8:45 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/2/2009 8:45 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/2/2009 8:44 PM 297752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81DDEE40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x81ddee40
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x81e1b800
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-04 20:13 - machine was rebooted
ComboFix-quarantined-files.txt  2009-11-04 03:13

Pre-Run: 2,089,771,008 bytes free
Post-Run: 3,389,628,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:30 PM, on 11/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225251068921
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4824 bytes

[Malware Removal Specialist]

The computer is still running very slow over the last couple weeks.  I tried to copy some pictures from a CD to my hard drive, for example, and it was very slow to even copy the 93 picture files on the CD.  Here are the log files from Combofix and HJT:

You need to keep replying until given the all clear. It's been over a week and you still had a bunch of malware to be removed and there is still more.

SuperDave will be along with new instructions.

[Malware Removal Specialist]

Hello cking137 and welcome back. Could you please do this:

Download the MBR Rootkit Detector to your desktop.

* Double-click mbr.exe and follow the prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

Now delete the current mbr.log file from the desktop and then follow the below instructions.

Go to Start > Run then copy and paste the following red text into the Open field:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log

Sorry for my slow reply.  I'll be on top of things from now on.  Here is the first mbr log file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x81dd1e40
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x81e0e800
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


And here is the log file from the second run:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x81dd1e40
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x81e0e800
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !
Use "Recovery Console" command "fixmbr" to clear infection !

[Malware Removal Specialist]

Be sure you have deleted all MBR logs.

Go to Start > Run then copy and paste the following red text into the Open field:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log

I deleted the old mbr log file before running the code, but I guess it didn't work.  So I tried deleting and clearing my Recycle Bin then re-running MBR.  Here is the log file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !

[Malware Removal Specialist]

I'm beginning to think this is a false positive but we need to make sure.

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
  
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Here is the F-Secure Online Scanner report:

Scanning Report
Saturday, November 7, 2009 09:12:14 - 12:22:42
Computer name: HOME-DCDCF07B92
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

6 malware found
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Mediaplex (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 55545
System: 3212
Not scanned: 6
Actions:
Disinfected: 6
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

[Malware Removal Specialist]

How is the computer running now?

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.