Virus on desktop

[hey101]

I have a virus on my desktop. Iv run scans with superantispyware and avast and both have removed everything they found.

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:55:51 PM, on 1/8/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb&sysid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb&sysid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb&sysid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\PROGRA~1\IMESHA~1\MediaBar\ToolBar\iMeshMediaBarDx.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
O3 - Toolbar: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\PROGRA~1\IMESHA~1\MediaBar\ToolBar\iMeshMediaBarDx.dll
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/html - {154bff7d-e634-4040-8512-30cb4295b7b7} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\IEBHO.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebca - Invalid registry found
O20 - Winlogon Notify: __c00C046 - Invalid registry found
O20 - Winlogon Notify: __c00C1C32 - Invalid registry found
O20 - Winlogon Notify: __c00D78A - Invalid registry found
O20 - Winlogon Notify: __c00E1071 - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10642 bytes

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[hey101]

Superantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2011 at 02:57 AM

Application Version : 4.36.1006

Core Rules Database Version : 4921
Trace Rules Database Version: 2733

Scan type       : Complete Scan
Total Scan Time : 04:36:28

Memory items scanned      : 527
Memory threats detected   : 1
Registry items scanned    : 6638
Registry threats detected : 24
File items scanned        : 211260
File threats detected     : 117

System.RegistryEditorDisabled
   HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System#DisableRegistryTools

Adware.ShopAtHome/SelectRebates
   C:\PROGRAM FILES\SELECTREBATES\SELECTREBATES.EXE
   C:\PROGRAM FILES\SELECTREBATES\SELECTREBATES.EXE
   [SelectRebates] C:\PROGRAM FILES\SELECTREBATES\SELECTREBATES.EXE
   C:\WINDOWS\Prefetch\SELECTREBATES.EXE-072AFA89.pf

Adware.ShopAtHomeSelect
   HKLM\Software\Classes\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}\InprocServer32
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}\InprocServer32#ThreadingModel
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}\ProgID
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}\Programmable
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}\TypeLib
   HKCR\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}\VersionIndependentProgID
   HKCR\ToolBand.ShopAtHomeIEHelper.1
   HKCR\ToolBand.ShopAtHomeIEHelper.1\CLSID
   HKCR\ToolBand.ShopAtHomeIEHelper
   HKCR\ToolBand.ShopAtHomeIEHelper\CLSID
   HKCR\ToolBand.ShopAtHomeIEHelper\CurVer
   HKCR\TypeLib\{462E4AEC-DB3B-4e69-AF61-4F300D76255C}
   HKCR\TypeLib\{462E4AEC-DB3B-4e69-AF61-4F300D76255C}\1.0
   HKCR\TypeLib\{462E4AEC-DB3B-4e69-AF61-4F300D76255C}\1.0\0
   HKCR\TypeLib\{462E4AEC-DB3B-4e69-AF61-4F300D76255C}\1.0\0\win32
   HKCR\TypeLib\{462E4AEC-DB3B-4e69-AF61-4F300D76255C}\1.0\FLAGS
   HKCR\TypeLib\{462E4AEC-DB3B-4e69-AF61-4F300D76255C}\1.0\HELPDIR
   C:\PROGRAM FILES\SELECTREBATES\TOOLBAR\SHOPATHOMETOOLBAR.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
   HKU\S-1-5-21-783998294-3702633765-3802052048-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.Tracking Cookie
   C:\Documents and Settings\Dad\Cookies\dad@media6degrees[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@zedo[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@questionmarket[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@advertising[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@invitemedia[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@mediaplex[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@clickboothlnk[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@revsci[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@casalemedia[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@doubleclick[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@amex-insights[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@1070896599[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@findmydegree[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@tacoda[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@yieldmanager[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@adbrite[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@trafficmp[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@realmedia[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@31554726[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@qksrv[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@2o7[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@pointroll[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@myroitracking[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@advertisefirst[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@interclick[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@bannertgt[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@burstnet[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@collective-media[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@adecn[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@serving-sys[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@fastclick[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@overture[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@apmebf[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@couponmountain[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@adinterax[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@clicksor[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@ak[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@ru4[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@tribalfusion[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@*censored*[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@harrenmedianetwork[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@cgi-bin[2].txt

Adware.SelectRebates
   C:\Program Files\SELECTREBATES\FFToolbar\chrome\sahtoolbar.jar
   C:\Program Files\SELECTREBATES\FFToolbar\chrome
   C:\Program Files\SELECTREBATES\FFToolbar\chrome.manifest
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences\sahtoolbar.js
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences
   C:\Program Files\SELECTREBATES\FFToolbar\defaults
   C:\Program Files\SELECTREBATES\FFToolbar\install.rdf
   C:\Program Files\SELECTREBATES\FFToolbar
   C:\Program Files\SELECTREBATES\SahImages\alert.png
   C:\Program Files\SELECTREBATES\SahImages\check.png
   C:\Program Files\SELECTREBATES\SahImages\close.png
   C:\Program Files\SELECTREBATES\SahImages
   C:\Program Files\SELECTREBATES\SelectAlerts.dat
   C:\Program Files\SELECTREBATES\SelectRebates.ini
   C:\Program Files\SELECTREBATES\SelectRebatesA.dat
   C:\Program Files\SELECTREBATES\SelectRebatesB.dat
   C:\Program Files\SELECTREBATES\SelectRebatesBT.dat
   C:\Program Files\SELECTREBATES\SelectRebatesDownload.exe
   C:\Program Files\SELECTREBATES\SelectRebatesH.dat
   C:\Program Files\SELECTREBATES\SelectRebatesUninstall.exe
   C:\Program Files\SELECTREBATES\SRebates.dll
   C:\Program Files\SELECTREBATES\SRFF3.dll
   C:\Program Files\SELECTREBATES\Toolbar\AddtoList.bmp
   C:\Program Files\SELECTREBATES\Toolbar\basis.xml
   C:\Program Files\SELECTREBATES\Toolbar\Basis.xml.dym
   C:\Program Files\SELECTREBATES\Toolbar\Blank.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Cache
   C:\Program Files\SELECTREBATES\Toolbar\CashBack.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Coupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\GroceryCoupon.bmp
   C:\Program Files\SELECTREBATES\Toolbar\icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ImageCache
   C:\Program Files\SELECTREBATES\Toolbar\i_magnifying.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_24.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_HotSpots.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ReviewSite.bmp
   C:\Program Files\SELECTREBATES\Toolbar\RightControls.dym
   C:\Program Files\SELECTREBATES\Toolbar\Scissors.bmp
   C:\Program Files\SELECTREBATES\Toolbar
   C:\Program Files\SELECTREBATES
   C:\WINDOWS\Prefetch\SELECTREBATESDOWNLOAD.EXE-053B5128.pf

BearShare File Sharing Client
   C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE

[hey101]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5484

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/8/2011 3:32:31 PM
mbam-log-2011-01-08 (15-32-31).txt

Scan type: Quick scan
Objects scanned: 231007
Time elapsed: 1 hour(s), 15 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\TimeSink, Inc. (AdWare.TimeSink) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\TimeSink, Inc. (AdWare.TimeSink) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00C046 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00C1C32 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00D78A (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00E1071 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\all users\application data\75044525 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\Grannylu\application data\searchtoolbarcorp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Grannylu\application data\searchtoolbarcorp\toolbar vision (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\will\application data\searchtoolbarcorp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\will\application data\searchtoolbarcorp\toolbar vision (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\local settings\application data\p2pxmld8 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\dad\my documents\downloads\install_adobe_flash(2).exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\documents and settings\will\local settings\Temp\PMShared (Trojan.Goldun) -> Quarantined and deleted successfully.
c:\windows\qxesya.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\program files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00f797c.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\local settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\local settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\local settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\local settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\local settings\application data\p2pxmld8\p2pxmld8.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Grannylu\application data\searchtoolbarcorp\toolbar vision\pagehistory.txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Grannylu\application data\searchtoolbarcorp\toolbar vision\webhistory.txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\will\application data\searchtoolbarcorp\toolbar vision\pagehistory.txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\will\application data\searchtoolbarcorp\toolbar vision\webhistory.txt (Trojan.Agent) -> Quarantined and deleted successfully.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

P2P - I see you have P2P software installed on your machine (LimeWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
Also uninstall SelectRebates, BearshareMediabarDx and anything related to BearShare.
*************************************************
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
*****************************************************
I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
****************************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb&sysid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb&sysid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb&sysid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: gebca - Invalid registry found
O20 - Winlogon Notify: __c00C046 - Invalid registry found
O20 - Winlogon Notify: __c00C1C32 - Invalid registry found
O20 - Winlogon Notify: __c00D78A - Invalid registry found
O20 - Winlogon Notify: __c00E1071 - Invalid registry found
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***********************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com
and save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[jhonas]

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. I have warned  you before to not hijack someone else's thread. If you need help, start your own thread.