Author Topic: Malware (Read 25701 times)

earmic · « **on:** January 22, 2012, 06:05:02 AM »

Picked up this nasty little piece of malware yesterday. Something to do with "Microsoft Security Center 2012" I see a few other posts here also. Anyway it's blocking my AVG from running, I did run MBAM it found 800 objects but could not fix any of them, I thought the MBAM might have been corrupted so I removed it and now I can't download it again. All I have is my Hijack this which has the "O1-Hosts: ::1 localhost" redirection which has been blocked from fixing except thru the start run etc command which I tried but can't seem to get to work. I did manage to get a new AVG to run once and find no viruses, but now it's blocked from running. Please help.

Allan · « **Reply #1 on:** January 22, 2012, 06:06:39 AM »

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

You can download everything on another system and transfer them to the system in question.

earmic · « **Reply #2 on:** January 22, 2012, 12:17:11 PM »

Now it looks like I've only got one thing left. In Hijack this, under hostfile redirections, the O1- Hosts: ::1 localhost line I need to delete, but when I try it it says that hijackthis has been denied access to the hostfile for some reason. When I use the directions about start, run, and then it tells me to edit the file myself, I can't get it to work, what am i missing?

SuperDave · « **Reply #3 on:** January 22, 2012, 03:09:07 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
******************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.

1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

earmic · « **Reply #4 on:** January 23, 2012, 05:01:02 AM »

Here are the logs requested. the host redirection is still there.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:21:01 AM, on 1/23/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\OAui.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe
O23 - Service: vToolbarUpdater - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
O23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
O23 - Service: WDFMEService - Western Digital - C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
O23 - Service: WDRulesService - Western Digital - C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe

--
End of file - 5436 bytes
Earl :: D7SXQY91 [administrator]

1/22/2012 2:36:16 PM
mbam-log-2012-01-22 (14-36-16).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244936
Time elapsed: 31 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2012 at 10:09 PM

Application Version : 5.0.1142

Core Rules Database Version : 8154
Trace Rules Database Version: 5966

Scan type : Complete Scan
Total Scan Time : 00:32:33

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 422
Memory threats detected : 0
Registry items scanned : 23375
Registry threats detected : 56
File items scanned : 84051
File threats detected : 1

Adware.MyWebSearch/FunWebProducts
   HKU\S-1-5-21-2856773612-2364928292-2262524725-1006\SOFTWARE\FunWebProducts
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid32
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib#Version
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib#Version
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib#Version
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid32
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib#Version
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid32
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib#Version
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid32
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib#Version
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid32
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib#Version
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

Browser Hijacker.Internet Explorer Settings Hijack
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]

Adware.Tracking Cookie
   C:\DOCUMENTS AND SETTINGS\EARL\Cookies\[email protected][2].txt [ Cookie:[email protected]
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Earl at 6:48:28 on 2012-01-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2710 [GMT -5:00]
.
AV: Malware Protection Center *Enabled/Updated* {0A22CD38-123B-4E0A-85D3-4F3C45DF26AB}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *Enabled*
FW: Malware Protection Center *Enabled*
FW: *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{B1CEA017-F4BD-4A2E-B0E7-3A9471493943} : DhcpNameServer = 10.0.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: image file execution options - svchost.exe
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-22 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-22 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-22 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-22 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-22 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-22 4363040]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-19 909152]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-6-29 263056]
R2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-6-29 1592208]
R2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-6-29 1091984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-8-7 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-23 02:34:48   --------   d-----w-   c:\documents and settings\earl\application data\SUPERAntiSpyware.com
2012-01-23 02:33:53   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-23 02:33:53   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-22 19:26:38   --------   d-----w-   c:\documents and settings\earl\application data\OnlineArmor
2012-01-22 19:26:38   --------   d-----w-   c:\documents and settings\all users\application data\OnlineArmor
2012-01-22 19:26:14   40296   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-01-22 19:26:14   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-01-22 19:26:14   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-01-22 19:26:14   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-01-22 19:26:10   --------   d-----w-   c:\program files\Online Armor
2012-01-22 13:08:55   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-22 09:04:52   --------   d-----w-   c:\documents and settings\earl\application data\AVG2012
2012-01-22 08:09:21   --------   d-----w-   c:\documents and settings\all users\application data\AVG Secure Search
2012-01-21 17:57:21   --------   d-sh--w-   c:\documents and settings\earl\application data\Malware Protection Center
2012-01-21 17:57:20   --------   d-sh--w-   c:\documents and settings\all users\application data\MPDPJDIC
2012-01-21 17:56:25   --------   d-sh--w-   c:\documents and settings\all users\application data\29c85f
.
==================== Find3M ====================
.
2011-12-28 22:27:35   2620   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2011-11-25 21:57:19   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35:08   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-16 22:49:12   2256   ----a-w-   c:\windows\current_settings.bin
2011-11-10 10:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-09 03:37:12   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-03 15:28:36   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28:36   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 6:52:21.45 ===============

SuperDave · « **Reply #5 on:** January 23, 2012, 04:24:50 PM »

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

earmic · « **Reply #6 on:** January 23, 2012, 06:16:23 PM »

I disabled my AVG, downloaded the Combofix and it ran for about 3/4 of the way through the 'green screed' and then it suddenly stops running and dissappears. I tried it several times, same thing.

earmic · « **Reply #7 on:** January 23, 2012, 06:23:57 PM »

I closed IE and it continued to run except it stops and warns me about the 'Malware protection center' scanner that's running, and to disable it. Is it talking aboutm MBAM? or something else, I can't find any 'malware proterctiion center'.

SuperDave · « **Reply #8 on:** January 23, 2012, 07:05:57 PM »

Ok. Let's try this. Delete ComboFix from your desktop and download a new version.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click PCHelpForum.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

earmic · « **Reply #9 on:** January 23, 2012, 07:35:21 PM »

Okay tried that, also disabled AVG like before, and closed IE, same thing happens.

SuperDave · « **Reply #10 on:** January 24, 2012, 04:26:07 PM »

Please try running ComboFix in Safe mode.

earmic · « **Reply #11 on:** January 24, 2012, 06:13:43 PM »

Was able to run it in safe mode, and it made it a little farther into the scan then the same thing happened, the security center warning popped up. where is this thing hiding? I can't find it anywhere.

earmic · « **Reply #12 on:** January 24, 2012, 06:46:30 PM »

well somhow i was able to get Combofix to run. Here is the log report:
ComboFix 12-01-23.02 - Earl 01/24/2012 20:26:03.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2802 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Malware Protection Center *Enabled/Updated* {0A22CD38-123B-4E0A-85D3-4F3C45DF26AB}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Malware Protection Center *Enabled* {4EA14CFC-3409-44BF-BC95-3D4160821E44}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\29c85f
c:\documents and settings\All Users\Application Data\29c85f\71.mof
c:\documents and settings\All Users\Application Data\29c85f\MPC.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\Earl\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a155ed85f72d3a41.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c7df7a3556de1eb9.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM051 .MRK
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-25 00:54 . 2012-01-25 00:56   --------   d-----w-   c:\documents and settings\Administrator
2012-01-23 11:32 . 2012-01-23 11:32   --------   d-----w-   c:\program files\Common Files\Java
2012-01-23 02:34 . 2012-01-23 02:34   --------   d-----w-   c:\documents and settings\Earl\Application Data\SUPERAntiSpyware.com
2012-01-23 02:33 . 2012-01-23 02:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-23 02:33 . 2012-01-23 02:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-22 19:26 . 2012-01-23 02:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2012-01-22 19:26 . 2012-01-22 19:27   --------   d-----w-   c:\documents and settings\Earl\Application Data\OnlineArmor
2012-01-22 19:26 . 2011-11-01 16:34   40296   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-01-22 19:26 . 2011-11-01 16:34   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-01-22 19:26 . 2011-11-01 16:34   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-01-22 19:26 . 2011-11-01 16:34   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-01-22 19:26 . 2012-01-24 01:01   --------   d-----w-   c:\program files\Online Armor
2012-01-22 13:08 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-22 09:04 . 2012-01-22 09:04   --------   d-----w-   c:\documents and settings\Earl\Application Data\AVG2012
2012-01-22 08:09 . 2012-01-22 08:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-01-21 17:57 . 2012-01-21 17:59   --------   d-sh--w-   c:\documents and settings\Earl\Application Data\Malware Protection Center
2012-01-21 17:57 . 2012-01-21 17:57   --------   d-sh--w-   c:\documents and settings\All Users\Application Data\MPDPJDIC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-10 16:51   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 16:51   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-10 10:54 . 2011-06-20 12:05   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-07-02 00:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-09 03:37 . 2011-05-23 23:39   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2004-08-10 16:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51   385024   ------w-   c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 16:51   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 16:51   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 16:51   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50   33280   ----a-w-   c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-05 98304]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Quick View.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Quick View.lnk
backup=c:\windows\pss\WD Quick View.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34   106496   ----a-w-   c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 00:13   77824   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 00:17   118784   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 00:17   94208   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-08-16 17:45   2736128   ----a-w-   c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-05-05 18:02   98304   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/22/2012 2:26 PM 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/22/2012 2:26 PM 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/22/2012 2:26 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/22/2012 2:26 PM 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/22/2012 2:26 PM 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/22/2012 2:26 PM 4363040]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [1/19/2012 5:27 PM 909152]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [6/29/2011 7:01 AM 263056]
R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [6/29/2011 7:01 AM 1592208]
R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [6/29/2011 7:01 AM 1091984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/7/2011 6:51 AM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 17:43   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 20:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-24 20:42:36
ComboFix-quarantined-files.txt 2012-01-25 01:42
.
Pre-Run: 55,385,833,472 bytes free
Post-Run: 56,277,286,912 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 86C8BC36E13C0EB1C10E378114C5C68D

SuperDave · « **Reply #13 on:** January 25, 2012, 12:28:17 PM »

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

earmic · « **Reply #14 on:** January 25, 2012, 03:18:05 PM »

Here is the antirootkit log:
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A89AE000
Module End: A89C6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5B2000
Module End: BA5B4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: A8C4042C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwAssignProcessToJobObject
Address: A8C3F928
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwConnectPort
Address: A8C3E64C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: A8C45316
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateKey
Address: A8C47242
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: A8C3E46A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: A8C3FEE8
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: A8C3C978
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: A8C3C4F2
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: A8C3D634
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: A8C3DD22
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDuplicateObject
Address: A8C3E32C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwLoadDriver
Address: A8C3F350
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: A8C45694
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenProcess
Address: A8165F3C
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwOpenSection
Address: A8C3C7B4
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: A8C3D8B0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwProtectVirtualMemory
Address: A8C3F6DA
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueueApcThread
Address: A8C3FA44
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestPort
Address: A8C3ECB0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: A8C3F018
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: A8C4510E
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwResumeThread
Address: A8C3E0CE
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: A8C3E86E
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: A8C3DBCC
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: A8C400E0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwShutdownSystem
Address: A8C3F28A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: A8C3E1FE
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: A8C3DF7A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: A8C3DE40
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: A8CA2640
Driver Base: A8C98000
Driver End: A8CBA000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

Function Name: ZwTerminateThread
Address: A8166080
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwUnloadDriver
Address: A8C3F518
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: A816611C
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

SuperDave · « **Reply #15 on:** January 26, 2012, 12:30:12 PM »

How's your computer working now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

earmic · « **Reply #16 on:** January 26, 2012, 03:43:45 PM »

At this point, I'm not seeing much of any change, my google homepage is still going to UK, Latvia, or maybe someother 10 lettter name, despite the google homepage on my internet options page. when entering site addresses from my regular homepage, which does come up if I select it on the favorites list, I'm redirected to an 'Ask the crew' site and not where I want to go. I'm downloading the ESET on line scanner and will post the log when I'm done. I don't see the 'ask' toolbar on my screen and can't find any mention of it in the add remove programs page.

earmic · « **Reply #17 on:** January 26, 2012, 06:19:59 PM »

I ran the eset and it found two threats, both trojans, and cleaned them. I couldn't find the first log(sorry) so I ran it again this time it didn't find anything. In the meantime I found the first log and post it here. After disinfection, I'm still being redirected and hijacked when I enter in an address on my homepage.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3fb132dba621784f9af12f29bfd21ebe
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-01-26 11:50:58
# local_time=2012-01-26 06:50:58 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 18744783 18744783 0 0
# compatibility_mode=1024 16777175 100 0 10194265 10194265 0 0
# compatibility_mode=6401 16777213 66 100 0 6531006 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=97723
# found=2
# cleaned=2
# scan_time=4022
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\29c85f\71.mof.vir Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177\A0052181.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251

SuperDave · « **Reply #18 on:** January 27, 2012, 12:08:47 PM »

* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.

Look through the list and let me know if anything was found infected.
*********************************************************
Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.
Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

earmic · « **Reply #19 on:** January 27, 2012, 08:49:20 PM »

The mrt.exe scan found no infections. Did the AVP from Kaspersky it also found no threats. Posted the log, only the top part as you asked, the whole thing says OK down through it. Things seem to be okay now, for the moment, I'm not being redirected anywhere and all seems okay. Wait and see seems to be the path to follow, so unless you have anything else and nothing happens over the weekend, I'll update Monday and hope for the best. I'll continue to run scans AVG, SAS, MBAM etc. check hijackthis.
Automatic Scan: completed 4 minutes ago (events: 326806, objects: 327327, time: 02:31:06)
1/27/2012 10:00:59 PM   Task completed
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll   Object was not changed (iChecker)
1/27/2012 10:00:58 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll   Object was not changed (iChecker)
1/27/2012 10:00:57 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll   Object was not changed (iChecker)
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GdiPlus.dll   Object was not changed (iChecker)
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll   Object was not changed (iChecker)
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll   Object was not changed (iChecker)
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll   Object was not changed (iChecker)
1/27/2012 10:00:56 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll   Object was not changed (iChecker)
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll   Object was not changed (iChecker)
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll   Object was not changed (iChecker)
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll   Object was not changed (iChecker)
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcirt.dll   Object was not changed (iChecker)
1/27/2012 10:00:55 PM   OK   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll   Object was not changed (iChecker)

SuperDave · « **Reply #20 on:** January 28, 2012, 11:50:51 AM »

Quote

I'll update Monday and hope for the best. I'll continue to run scans AVG, SAS, MBAM

That sounds like a good idea. I'll watch for your post.

earmic · « **Reply #21 on:** January 29, 2012, 02:28:28 PM »

Alas, the problem persists. Internet searches reveal that this seems to be a rogue trojan that is hard for anti virus and malware scanners to pick up. I'm still being redirected alot of the time. I'll scan everything again with updated everything I've got and see what happens. This process takes 5-6 hours.

SuperDave · « **Reply #22 on:** January 29, 2012, 07:23:39 PM »

Please update and run another scan with SAS and post the log.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

On completion of the scan click save log, save it to your desktop and post in your next reply

earmic · « **Reply #23 on:** January 30, 2012, 06:05:50 PM »

Thank you for your patience...here are the two logs: SAS was updated and immedeiately scanned, then I did the aswmbr scan. I haven't touched anything yet. Two things on the aswmbr scan- 19:34:59.421 is yellow and 19:35:05.375 ntkrnlpa...is red.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2012 at 06:51 PM

Application Version : 5.0.1142

Core Rules Database Version : 8182
Trace Rules Database Version: 5994

Scan type : Complete Scan
Total Scan Time : 00:44:33

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 406
Memory threats detected : 0
Registry items scanned : 24127
Registry threats detected : 0
File items scanned : 94825
File threats detected : 0

MBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-30 19:24:08
-----------------------------
19:24:08.234 OS Version: Windows 5.1.2600 Service Pack 3
19:24:08.234 Number of processors: 2 586 0x403
19:24:08.234 ComputerName: D7SXQY91 UserName: Earl
19:24:17.750 Initialize success
19:34:40.781 AVAST engine defs: 12013000
19:34:44.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
19:34:44.656 Disk 0 Vendor: ST3808110AS 3.ADH Size: 76293MB BusType: 3
19:34:44.671 Disk 0 MBR read successfully
19:34:44.671 Disk 0 MBR scan
19:34:44.703 Disk 0 unknown MBR code
19:34:44.703 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
19:34:44.718 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72990 MB offset 80325
19:34:44.750 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3255 MB offset 149565150
19:34:44.781 Disk 0 scanning sectors +156232125
19:34:44.890 Disk 0 scanning C:\WINDOWS\system32\drivers
19:34:59.093 Service scanning
19:34:59.421 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
19:35:00.296 Modules scanning
19:35:05.343 Disk 0 trace - called modules:
19:35:05.375 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8af9dfa9]<<
19:35:05.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b079ab8]
19:35:05.375 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b0afd98]
19:35:05.781 AVAST engine scan C:\WINDOWS
19:35:10.718 AVAST engine scan C:\WINDOWS\system32
19:37:41.890 AVAST engine scan C:\WINDOWS\system32\drivers
19:37:57.562 AVAST engine scan C:\Documents and Settings\Earl
19:40:00.296 AVAST engine scan C:\Documents and Settings\All Users
19:41:12.703 Scan finished successfully
19:53:51.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Earl\Desktop\MBR.dat"
19:53:51.812 The log file has been saved successfully to "C:\Documents and Settings\Earl\

SuperDave · « **Reply #24 on:** January 30, 2012, 07:29:44 PM »

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

earmic · « **Reply #25 on:** January 31, 2012, 02:13:59 AM »

MBR log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000000d

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltmgr.sys
0xB9EFF000 sr.sys
0xBA338000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xBA340000 speedfan.sys
0xB9E14000 Mup.sys
0xBA671000 giveio.sys
0xBA348000 avgrkx86.sys
0xBA4BC000 AVGIDSEH.Sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9747000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9733000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB970B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA420000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB96E7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA428000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB96B3000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB9690000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9591000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB94EA000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA430000 \SystemRoot\System32\Drivers\Modem.SYS
0xB94C4000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xBA438000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA308000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA7A7000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA440000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xBA448000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA318000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9DDF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB94AD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA108000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA118000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA450000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA458000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA128000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA460000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA468000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB944F000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DDB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9421000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xBA138000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB986C000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xA920E000 \SystemRoot\system32\drivers\sthda.sys
0xA91EA000 \SystemRoot\system32\drivers\portcls.sys
0xBA168000 \SystemRoot\system32\drivers\drmk.sys
0xBA188000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA488000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA590000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA1D8000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xBA60C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA68A000 \SystemRoot\System32\Drivers\Null.SYS
0xBA60E000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA4A0000 \SystemRoot\System32\drivers\vga.sys
0xBA610000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA612000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA4A8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4B0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB93DA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA358000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
0xA90EF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xA9096000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA208000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
0xA904F000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA9001000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8FD9000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA57C000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA8FB7000 \SystemRoot\System32\drivers\afd.sys
0xBA268000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8F95000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA3C0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8F6A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA588000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xBA288000 \??\C:\WINDOWS\system32\drivers\oahlp32.sys
0xA8F39000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
0xA8EC9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA298000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8DF2000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xA9043000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA903B000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA478000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA9037000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8D63000 \SystemRoot\system32\drivers\wisgostrm.sys
0xB9868000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA178000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8CAB000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5EE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8D43000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3F0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA688000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xA8AB5000 \SystemRoot\system32\DRIVERS\irda.sys
0xA8B4F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8889000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA875C000 \SystemRoot\system32\drivers\wdmaud.sys
0xA88D5000 \SystemRoot\system32\drivers\sysaudio.sys
0xA84DF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA630000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA8520000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xA8558000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA836F000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8C9B000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA8237000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xA7EAE000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7A55000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
528 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
560 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
752 csrss.exe
776 C:\WINDOWS\system32\winlogon.exe
836 C:\WINDOWS\system32\services.exe
848 C:\WINDOWS\system32\lsass.exe
1020 C:\WINDOWS\system32\svchost.exe
1068 svchost.exe
1148 C:\WINDOWS\system32\svchost.exe
1272 svchost.exe
1308 svchost.exe
1400 C:\Program Files\Online Armor\oacat.exe
1516 C:\Program Files\Online Armor\oasrv.exe
1668 C:\WINDOWS\explorer.exe
1912 C:\WINDOWS\system32\spoolsv.exe
1796 svchost.exe
144 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
1508 C:\WINDOWS\system32\svchost.exe
2176 wdfmgr.exe
2472 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
2756 C:\Program Files\AVG\AVG2012\avgnsx.exe
2836 C:\Program Files\AVG\AVG2012\avgemcx.exe
3460 alg.exe
3852 C:\Program Files\AVG\AVG2012\avgtray.exe
4000 C:\Program Files\Online Armor\oaui.exe
2884 C:\Program Files\Online Armor\oahlp.exe
2648 C:\WINDOWS\system32\wuauclt.exe
2448 C:\Program Files\Internet Explorer\iexplore.exe
3308 C:\Program Files\Internet Explorer\iexplore.exe
5384 C:\Documents and Settings\Earl\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: BF118E4CFC2D7C7489A85AC7AD11D2A979F7482 4

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

SuperDave · « **Reply #26 on:** January 31, 2012, 11:31:11 AM »

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter

Next type FIXMBR

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

earmic · « **Reply #27 on:** January 31, 2012, 02:59:01 PM »

It's absolutely amazing... no redirections at all! I'm going to try a few of the sites this evening, thank you thank you, I'll let you know.

earmic · « **Reply #28 on:** January 31, 2012, 06:26:26 PM »

Well that lasted about 20 minutes. Back where we started. UK, latvia, Spain...

SuperDave · « **Reply #29 on:** February 01, 2012, 12:15:16 PM »

Please run MBRCheck.exe again and post the log.

earmic · « **Reply #30 on:** February 01, 2012, 03:38:59 PM »

Here is the aswMBR log:
17:26:26.656 is yellow and 17:26:32.015 is red.
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-01 16:51:05
-----------------------------
16:51:05.312 OS Version: Windows 5.1.2600 Service Pack 3
16:51:05.312 Number of processors: 2 586 0x403
16:51:05.312 ComputerName: D7SXQY91 UserName: Earl
16:51:05.625 Initialize success
17:00:43.890 AVAST engine defs: 12020100
17:26:14.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:26:14.093 Disk 0 Vendor: ST3808110AS 3.ADH Size: 76293MB BusType: 3
17:26:14.109 Disk 0 MBR read successfully
17:26:14.109 Disk 0 MBR scan
17:26:14.171 Disk 0 Windows XP default MBR code
17:26:14.171 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
17:26:14.203 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72990 MB offset 80325
17:26:14.218 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3255 MB offset 149565150
17:26:14.234 Disk 0 scanning sectors +156232125
17:26:14.296 Disk 0 scanning C:\WINDOWS\system32\drivers
17:26:26.390 Service scanning
17:26:26.656 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
17:26:27.453 Modules scanning
17:26:31.968 Disk 0 trace - called modules:
17:26:32.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8ad9a6d9]<<
17:26:32.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b09eab8]
17:26:32.015 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b085d98]
17:26:32.250 AVAST engine scan C:\WINDOWS
17:26:39.515 AVAST engine scan C:\WINDOWS\system32
17:29:14.718 AVAST engine scan C:\WINDOWS\system32\drivers
17:29:30.359 AVAST engine scan C:\Documents and Settings\Earl
17:33:18.328 AVAST engine scan C:\Documents and Settings\All Users
17:35:10.703 Scan finished successfully
17:35:42.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Earl\Desktop\MBR.dat"
17:35:42.359 The log file has been saved successfully to "C:\Documents and Settings\Earl\Desktop\aswMBR1.txt"

SuperDave · « **Reply #31 on:** February 01, 2012, 04:54:52 PM »

Please run the MBR check in Reply # 24

earmic · « **Reply #32 on:** February 02, 2012, 03:16:50 PM »

Okay, how's this..
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000000d

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltmgr.sys
0xB9EFF000 sr.sys
0xBA338000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xBA340000 speedfan.sys
0xB9E14000 Mup.sys
0xBA671000 giveio.sys
0xBA348000 avgrkx86.sys
0xBA4BC000 AVGIDSEH.Sys
0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB96CD000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB96B9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9691000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB966D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9639000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB9616000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9517000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB9470000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA428000 \SystemRoot\System32\Drivers\Modem.SYS
0xB944A000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xBA430000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA761000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA438000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA2D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9433000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA308000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA458000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB93D5000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB93A7000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xBA318000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA57C000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xA8F79000 \SystemRoot\system32\drivers\sthda.sys
0xA8F55000 \SystemRoot\system32\drivers\portcls.sys
0xBA188000 \SystemRoot\system32\drivers\drmk.sys
0xBA158000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA616000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB9155000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA198000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xBA61A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7CB000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61C000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3D0000 \SystemRoot\System32\drivers\vga.sys
0xA8E8D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA208000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA662000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA664000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3D8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3E0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA588000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA3E8000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
0xA8E5A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xA8E01000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA228000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
0xA8DBA000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA8D6C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA8D44000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9149000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA8D22000 \SystemRoot\System32\drivers\afd.sys
0xBA238000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8D00000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA3F0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8CD5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB980A000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xBA258000 \??\C:\WINDOWS\system32\drivers\oahlp32.sys
0xA8CA4000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
0xA8C34000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA8B5D000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB97EA000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA358000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA558000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8ACE000 \SystemRoot\system32\drivers\wisgostrm.sys
0xBA568000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8EE5000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8A16000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA650000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8A4E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3C0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7B7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xA8820000 \SystemRoot\system32\DRIVERS\irda.sys
0xA899E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA85F4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA849F000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8688000 \SystemRoot\system32\drivers\sysaudio.sys
0xA824C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5B2000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA84B8000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xA8228000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA81A4000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA390000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA8044000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xA7C6B000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7379000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
512 C:\WINDOWS\system32\smss.exe
544 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
576 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
780 csrss.exe
812 C:\WINDOWS\system32\winlogon.exe
856 C:\WINDOWS\system32\services.exe
868 C:\WINDOWS\system32\lsass.exe
1044 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1172 C:\WINDOWS\system32\svchost.exe
1300 svchost.exe
1348 svchost.exe
1672 C:\WINDOWS\explorer.exe
1748 C:\Program Files\Online Armor\oacat.exe
1780 C:\Program Files\Online Armor\oasrv.exe
748 C:\WINDOWS\system32\spoolsv.exe
2112 svchost.exe
2344 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
2852 C:\WINDOWS\system32\svchost.exe
3164 wdfmgr.exe
3376 C:\WINDOWS\system32\wuauclt.exe
3512 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
3788 C:\Program Files\AVG\AVG2012\avgnsx.exe
3880 C:\Program Files\AVG\AVG2012\avgemcx.exe
2588 alg.exe
3276 C:\Program Files\AVG\AVG2012\avgtray.exe
3340 C:\Program Files\Online Armor\oaui.exe
4076 C:\Program Files\Online Armor\oahlp.exe
2176 C:\WINDOWS\system32\svchost.exe
1744 wmiprvse.exe
4200 C:\Program Files\Internet Explorer\iexplore.exe
4296 C:\Program Files\Internet Explorer\iexplore.exe
5256 C:\Program Files\Internet Explorer\iexplore.exe
5532 C:\Program Files\Internet Explorer\iexplore.exe
2572 C:\Program Files\AVG\AVG2012\avgmfapx.exe
2388 C:\Documents and Settings\Earl\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A

Done!

SuperDave · « **Reply #33 on:** February 03, 2012, 12:09:03 PM »

Now that the MBR code is repaired please update and run scans with SAS and MBAM and post the logs.

earmic · « **Reply #34 on:** February 03, 2012, 05:23:54 PM »

Updated and ran SAS, then MBAM
Administrator

Memory items scanned : 403
Memory threats detected : 0
Registry items scanned : 35444
Registry threats detected : 1
File items scanned : 96553
File threats detected : 51

Adware.SelectRebates
   C:\Program Files\SELECTREBATES\FFToolbar\chrome\sahtoolbar.jar
   C:\Program Files\SELECTREBATES\FFToolbar\chrome
   C:\Program Files\SELECTREBATES\FFToolbar\chrome.manifest
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences\sahtoolbar.js
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences
   C:\Program Files\SELECTREBATES\FFToolbar\defaults
   C:\Program Files\SELECTREBATES\FFToolbar\install.rdf
   C:\Program Files\SELECTREBATES\FFToolbar
   C:\Program Files\SELECTREBATES\SahImages\alert.png
   C:\Program Files\SELECTREBATES\SahImages\check.png
   C:\Program Files\SELECTREBATES\SahImages\close.png
   C:\Program Files\SELECTREBATES\SahImages
   C:\Program Files\SELECTREBATES\SelectAlerts.dat
   C:\Program Files\SELECTREBATES\SelectRebates.exe
   C:\Program Files\SELECTREBATES\SelectRebates.ini
   C:\Program Files\SELECTREBATES\SelectRebatesA.dat
   C:\Program Files\SELECTREBATES\SelectRebatesApi.exe
   C:\Program Files\SELECTREBATES\SelectRebatesB.dat
   C:\Program Files\SELECTREBATES\SelectRebatesBT.dat
   C:\Program Files\SELECTREBATES\SelectRebatesDownload.exe
   C:\Program Files\SELECTREBATES\SelectRebatesUninstall.exe
   C:\Program Files\SELECTREBATES\SRebates.dll
   C:\Program Files\SELECTREBATES\SRFF3.dll
   C:\Program Files\SELECTREBATES\Toolbar\AddtoList.bmp
   C:\Program Files\SELECTREBATES\Toolbar\basis.xml
   C:\Program Files\SELECTREBATES\Toolbar\Basis.xml.dym
   C:\Program Files\SELECTREBATES\Toolbar\Blank.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Cache
   C:\Program Files\SELECTREBATES\Toolbar\CashBack.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Coupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\GroceryCoupon.bmp
   C:\Program Files\SELECTREBATES\Toolbar\icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ImageCache
   C:\Program Files\SELECTREBATES\Toolbar\i_magnifying.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_24.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_HotSpots.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ReviewSite.bmp
   C:\Program Files\SELECTREBATES\Toolbar\RightControls.dym
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-alert.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-go.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-grocerycoupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-restaurant.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-wishlist.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Scissors.bmp
   C:\Program Files\SELECTREBATES\Toolbar
   C:\Program Files\SELECTREBATES
   C:\WINDOWS\Prefetch\SELECTREBATES.EXE-072AFA89.pf
   C:\WINDOWS\Prefetch\SELECTREBATESDOWNLOAD.EXE-053B5128.pf

Adware.ShopAtHomeSelect
   HKU\S-1-5-21-2856773612-2364928292-2262524725-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.CouponBar
   C:\WINDOWS\SYSTEM32\CPNPRT2.CID
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Earl :: D7SXQY91 [administrator]

2/3/2012 6:11:17 PM
mbam-log-2012-02-03 (18-11-17).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 270947
Time elapsed: 37 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0

SuperDave · « **Reply #35 on:** February 03, 2012, 07:27:41 PM »

Thanks. How's your computer working now?

earmic · « **Reply #36 on:** February 04, 2012, 07:54:09 AM »

No real change. this thing continues to make an appearance at random times. You know, this computer isn't that far out of the box, it doesn't have any photos, files of any major concern, or anything that I can't afford to lose. I have a WD backup that's been off now for 2 months so I know it's clean and it has got anything I might need on it. This dell has the "out of the box" option which will wipe the HD clean except the Windows XP I think. I've got to go back in and read about it again. I used it when I inherited it to begin with. I'm now begining to think this might be the final solution. If I wipe this clean and start it "right out of the box", except for the OS, will the malware/virus survive? does it hide there, amoung other places? You are welcome to try a few other things, and I have plenty of time to do them. But like I said, I don't depend on this machine every day for anything.

SuperDave · « **Reply #37 on:** February 04, 2012, 11:50:08 AM »

If you nothing to lose doing a Recovery would be the best option.

earmic · « **Reply #38 on:** February 04, 2012, 08:04:07 PM »

Okay, I'll give it a try... thanks

SuperDave · « **Reply #39 on:** February 05, 2012, 11:51:03 AM »

Quote from: earmic on February 04, 2012, 08:04:07 PM

Okay, I'll give it a try... thanks

Please let me know the results.

earmic · « **Reply #40 on:** February 10, 2012, 01:05:23 PM »

Dave,
I wiped the drive and upgraded to Windows 7. Reinstalled AVG, MBAM, SAS, Online armor. Everything normal, "been a week now, ain't been sick once." Thanks, now that have a disk, it'll be easier next time.

SuperDave · « **Reply #41 on:** February 10, 2012, 07:43:55 PM »

Quote from: earmic on February 10, 2012, 01:05:23 PM

Dave,
I wiped the drive and upgraded to Windows 7. Reinstalled AVG, MBAM, SAS, Online armor. Everything normal, "been a week now, ain't been sick once." Thanks, now that have a disk, it'll be easier next time.

You're welcome. You'll be happy with Windows 7. I will lock this thread. If you need it re-opened, please send me a pm.

Computer Hope Forum

News:

Author Topic: Malware (Read 25701 times)

earmic

Allan

earmic

SuperDave

earmic

SuperDave

earmic

earmic

SuperDave

earmic

SuperDave

earmic

earmic

SuperDave

earmic

SuperDave

earmic

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave

earmic

SuperDave