ebay paypal redirect/hijack

Let's try and slaughter it.

Please open Notepad and enter in the following:

@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
pause
del c:\windows\system32\termsrv32.dll
mbr -t > log.txt
start log.txt
exit

Then, click File > Save as...
Save as file.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on file.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

===================================

Then run the HelpAsst_mebroot_fix again, three times. At the end of the third run, please post the log from it along with the log from above.

The first time I ran the HelpAsst_mebroot_fix it said Please wait, and sat for about 10 minutes, then blue screen of death.

I rebooted & ran it again 3 times and below is the log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8880BF28]<<
kernel: MBR read successfully
user & kernel MBR OK


C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Sat 05/01/2010 at 23:32:50.67

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS.000 ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSPLI~2.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSTYL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTABL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTEXT~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTIME~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\FILEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\SITEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWANCH~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWAPPL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant.LINDAS.000


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:37:55.29

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:38:48.73

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:39:13.32

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Good progress.

Please open Notepad and enter in the following:

@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
pause
net user HelpAssistant > log.txt
mbr -t >> log.txt
pause
start log.txt
exit

Then, click File > Save as...
Save as check.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on check.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

Ok... here you go...

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/1/2010 11:32 PM
Password expires Never
Password changeable 5/1/2010 11:32 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

Now, let's see if it is gone, before we try to delete the HelpAssistant account.

Please download HAMeb_check.exe and save it to your desktop.

• Double-click on HAMeb_check.exe to run the utility and it will create a log.
• Copy and paste the contents of that log in your next reply.

ok... here is the log...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Sun 05/02/2010 at 18:31:57.81

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

Need more info to execute a total disinfection.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
*helpassistant*
disk.sys
atapi.sys
mbr.sys
ntoskrnl.exe
mat*.dll
termsrv*

:folderfind
*helpassistant*

:regfind
PhysicalDrive
helpassistant
termservice
  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

ok... here is the log...

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:59 on 03/05/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

Searching for "disk.sys"
C:\WINDOWS\$NtServicePackUninstall$\disk.sys -----c 36352 bytes [02:10 25/09/2008] [05:59 04/08/2004] 00CA44E4534865F8A3B64F7C0984BFF0
C:\WINDOWS\ServicePackFiles\i386\disk.sys ------ 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\drivers\disk.sys --a--- 36352 bytes [12:00 29/08/2002] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [02:10 25/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [13:16 19/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [19:59 12/01/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "mbr.sys"
No files found.

Searching for "ntoskrnl.exe"
C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe --a--- 2179328 bytes [00:59 02/03/2005] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe --a--- 2179456 bytes [01:04 02/03/2005] [01:04 02/03/2005] 28187802B7C368C0D3AEF7D4C382AABB
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe --a--- 2182144 bytes [09:55 28/02/2007] [09:55 28/02/2007] 5A5C8DB4AA962C714C8371FBDF189FC9
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [23:35 07/02/2009] [23:35 07/02/2009] EFE8EACE83EAAD5849A7A548FB75B584
C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [20:11 14/08/2008] [20:11 14/08/2008] 31914172342BFF330063F343AC6958FE
C:\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [18:18 15/10/2009] [13:56 04/08/2009] FDE779EA1A564EBFE16F4E0F82B61BAD
C:\WINDOWS\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [04:52 09/12/2009] [04:52 09/12/2009] 05BE3D9A71972223AFF6A3C823BA51B1
C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe --a--- 2190080 bytes [13:48 14/04/2010] [12:52 16/02/2010] E1F653A542449D54FA2D27463D99B6B6
C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe -----c 2180352 bytes [02:10 25/09/2008] [09:10 28/02/2007] 582A8DBAA58C3B1F176EB2817DAEE77C
C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe -----c 2042240 bytes [02:01 13/01/2008] [12:00 29/08/2002] B9080D97DBD631AADF9128F7316958D2
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe -----c 2180992 bytes [02:43 13/01/2008] [06:19 04/08/2004] CE218BC7088681FAA06633E218596CA7
C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe -----c 2088448 bytes [02:01 13/01/2008] [08:33 22/10/2004] 5A7EB0C9F96917B7ECF5ADF70C4B1BAE
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe -----c 2179328 bytes [03:17 13/01/2008] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$NtUninstallKB956572$\ntoskrnl.exe -----c 2189184 bytes [07:06 17/04/2009] [10:11 14/08/2008] EEAF32F8E15A24F62BECB1BD403BB5C5
C:\WINDOWS\$NtUninstallKB956841$\ntoskrnl.exe -----c 2188928 bytes [07:01 15/10/2008] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\$NtUninstallKB971486$\ntoskrnl.exe -----c 2189056 bytes [07:08 16/10/2009] [11:08 06/02/2009] 7A95B10A73737EBF24139AAA63F5212B
C:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe -----c 2189184 bytes [08:01 11/02/2010] [00:44 05/08/2009] 8415D9C7C050E7022AED8ABF281BE4A6
C:\WINDOWS\$NtUninstallKB979683$\ntoskrnl.exe -----c 2189184 bytes [07:07 16/04/2010] [19:27 08/12/2009] 78EC47F9B9A3A1D539262D8834C896CE
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe ------ 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ERDNT\cache\ntoskrnl.exe --a--- 2189952 bytes [13:16 19/04/2010] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe ------ 2188928 bytes [06:19 04/08/2004] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\system32\dllcache\ntoskrnl.exe -----c 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\system32\ntoskrnl.exe --a--- 2189952 bytes [12:00 29/08/2002] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA

Searching for "mat*.dll"
No files found.

Searching for "termsrv*"
C:\Documents and Settings\HelpAssistant.LINDAS.000\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:43 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\Documents and Settings\yo\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:18 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\HelpAsst_backup\termsrv32.dll --a--- 295424 bytes [03:18 02/05/2010] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [02:10 25/09/2008] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [13:16 19/04/2010] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:11 12/01/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv32.dll --a--- 295424 bytes [19:11 12/01/2008] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82

========== folderfind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS.000 d----- [03:32 02/05/2010]

========== regfind ==========

Searching for "PhysicalDrive"
No data found.

Searching for "helpassistant"
[HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

Searching for "termservice"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"

-=End Of File=-

Ok.

Please download and run this: http://www.eset.eu/download/emebremover

Let me know if it launches or saves a log.

===========

Once done, please re-run HaMeb_Check.exe and post a log.

Emebremover did not produce a log... but it did display 2 messages as it ran. First was that MBR rootkit (Win32/Mebroot) was found on my system and asked if I wanted it to clean/remove it. I clicked yes. Then it said it was cleaned sucessfully.

And here is the log for HaMeb_Check.exe


C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 1:07:05.06

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

Whew. This is going to be a little complicated. It is obviously reinstalling itself after every removal.

============================

In order to do this, every step should be taken correctly.

1. Download all that is needed in the below instructions, and then save all of these instructions to Notepad or print them for easy access.

2. Disconnect from the Internet. Very important to do, until after the last reboot.

3. Open Notepad and copy/paste the code box below into a new text file.

• Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  
• Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).

4. Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the box below into it:
  

  killall:: registry:: file:: c:\windows\system32\termsrv32.dll snapshot:: mbr:: Reboot::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

5. Run Help_Asst_Mebroot_Fix and make sure that log gets posted in your next reply.

6. Reboot your computer three times!

7. Run HaMeb_Check once more and post a log.

Make sure to post the ComboFix log, HelpAsstMebrootFix log, and HaMeb_Check log in your next reply.

Ok... all instructions followed precisely.... here are the logs:

ComboFix 10-05-03.06 - yo 05/04/2010 10:05:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.969 [GMT -4:00]
Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\yo\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yo\Recent\Thumbs.db
c:\program files\WindowsUpdate
c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 04:07 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\UserData
2010-05-02 04:06 . 2010-05-02 04:06 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\PrivacIE
2010-05-02 04:06 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS.000\PNPrint3.exe
2010-05-02 03:52 . 2010-05-02 03:52 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\log
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IETldCache
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IECompatCache
2010-05-02 03:32 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000
2010-05-02 03:18 . 2010-05-02 03:18 -------- d-----w- C:\HelpAsst_backup
2010-04-28 23:47 . 2010-04-28 23:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
2010-04-23 04:01 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
2010-04-23 03:49 . 2010-04-23 03:49 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
2010-04-23 03:31 . 2010-03-10 08:05 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IETldCache
2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
2010-04-05 21:46 . 2010-05-04 09:44 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
2010-04-05 01:04 . 2010-05-04 13:59 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
2010-04-04 19:57 . 2010-04-29 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 04:00 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
2010-05-01 19:24 . 2008-01-13 03:02 207024 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-04-04 07:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-04 07:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yo^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\yo\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-14 15:29 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"MagicTuneEngine"=2 (0x2)
"CVPND"=2 (0x2)
"cisvc"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:Remote Desktop

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
"D-Code"="9943096400"
"U-Code"="Demo"
"S-Code"="4973197477"
"C-Code"="2108728324272124"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\snmp.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2010-05-04 11:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 15:38

Pre-Run: 57,514,393,600 bytes free
Post-Run: 58,265,882,624 bytes free

- - End Of File - - C772DC53CDE8935104EAF894955A4315

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 11:40:51.81

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

------------------------------------------------------------------------------------------------


C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 11:50:32.84

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

I think we might have killed most of the infection. Run Help_Asst_Mebroot_Fix once more and post a log, please.

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 15:07:36.48

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

Go to Start > Run

type in CMD and hit OK.

In command prompt, type this in exactly:

net localgroup Administrators HelpAssistant /delete

Let me know if a message pops up.

===============

Reboot your computer, then run HaMeb_Check once more and post a log, please.

I think it is almost gone.

Ok... No message popped up, but in the command window it said

System error 1377 has occurred.
The specified account name is not a member of the local group.

And here is the log for HaMeb_Check... Thank you

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 15:28:44.34

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Enter the Recovery Console again,

place in fixmbr

then reboot, and run HelpAsst_Mebroot_Fix and post a log, please.

Hi there...

I loaded Recovery Console from my computer (from ComboFix install). As it was loaded... blue screen of death.

I then loaded it from the XP disk. When I selected R for repair, a black screen came up that said Recovery Console with a C prompt. I typed fixmbr, and immediatly got another C prompt. No messages saying does not compute, or okay, etc. I typed exit & it rebooted.

Windows started up, but once loaded I could not click on anything. I could move the mouse, but nothing would happen if I clicked anything. I triec ctrl-alt-del and that did not respond either, so I hit the button & rebooted. I tried this 3-4 times, then rebooted into safe mode. Everything worked ok in safe mode, so I tried rebooting in regular mode again and again could not click on anything... windows key on keyboard & ctl-alt-del did nothing. I rebooted into safe mode with networking. Everything seems to be working ok again in safe mode, so I logged on to here and am now typing this message to you...

This bug is evil and must be eradicated from the planet.

Reboot, and at the options menu for Safe Mode and the rest of the options, choose "Last known good configuration."

Let me know if that helps you boot the Normal Mode again.

Unfortunatly, that didn't fix it.

Ok... hopefully I didn't mess anything up with this, but I had to get my computer working again (I use it for work and had work I had to do on it)....

Since Last Known Good didn't work, I went to Safe Mode and to system restore & restored it to the setting point it made at 9am yesterday. That helped, I was able to click on stuff, but they were taking forever to respond.... like 4 minutes for my documents to open, over 5 minutes when I tried IE, and then it came up and said it could not connect. I rebooted to safe mode with networking & again, everything was fine, so I knew the problem was something loading in regular windows mode. I have very little that loads on start up, mainly just Avira, so I rebooted into regular mode again and tried to open Avira. It just sat & sat, so I thought something must be hosed with that. I rebooted to safe mode, and uninstalled Avira. Rebooted again and now everything, including IE is opening correctly.

So now, should I reinstall Avira, or do you have a suggestion for a different anti-virus program? I've tried a bunch of them, & was running Kapersky when I got this bug & before coming on this board had tried most of the Anti-virus products to try to get rid of this thing. (Download free trial, try to kill the bug, didn't work (or worked but it came back), uninstalled and tried the next one...) It doesn't necessarily have to be a free one, I was just using Avira because it was the last one I had tried.

Don't worry, I won't be surfing looking for a new bug with no anti-virus on my computer... just working until I get my next move from you.

Thank you.

Go ahead and leave the antivirus uninstalled.

I do recommend Kaspersky products. What version was it?

Please go to Start > Run

type in mbr.exe -t and press OK.

It will run. Post the log when it finishes.

ok, here you go sir...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

Now, let me see a HaMeb_Check log, please.

ok...here you go...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Thu 05/06/2010 at 0:28:11.25

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Let's try a different method here.

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis
  
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  
• When finished, a message will be displayed at the bottom advising if any viruses were found.
  
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found.
  If so, click it, then click the next icon right below and select Move incurable.
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit when you have finished.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

Hi Dragonmaster Jay,

I downloaded DrWeb-CureIt as instructed... the express scan ran for about 12 hours, then I finally stopped it. I think it kept getting hung up or timed out on something & would restart because when I would come check on it, I would recognize the files as ones it already scanned, and then it would get to itype.exe and just sit. Then I'd walk away for a while & when I'd come back it would still be scanning and then sit again on that same file.

When I stopped it, it did show a warning and said it detected viruses, but it did not give me the option to quarantine. It said I should run the full (or maybe the word it used was premium) version of DrWeb-CureIt to detect and remove the viruses.

I will try running DrWeb-CureIt again shortly, but wanted to update you on the situation & ask you if I should run it in safe mode so the minimum is loaded in memory for the express scan?

The log it created is pretty huge (2 MB), so rather than upload it to 10 posts, I'm uploading it to one of my websites.... here is the link:
LogFile

Thank you

Try this new version of CureIt:

Please download this file:


and run a scan with it. Post the log it generates.

It will be a *.cvs file, so double-click on it, and open it in Notepad.

Did it work? What happened?

New version of CureIt did not work. I tried it a couple of times and as it loaded, blue screen flashed up and computer rebooted.

I did try the first version again and it was scanning for about 20 hours, when someone was reaching under my desk for something that fell and accidentally hit the reboot button on my computer. So I'm running the scan again, and will post the log... it will probably be sometime monday since this scan seems to take so long. I'm having it just do the C drive first though, not the D drive (the second hard drive).... so hopefully it won't take quite so long.

ok... DrWeb CureIt ran without complications... it rebooted the machine when it was done. The log file is enormous, so I uploaded it to the web. Here is the link CureIt Log

Thank you

It did not detect anything.

Even the Master Boot Record showed up fine.

Now the key is, is to get rid of that HelpAssistant account.


Please open OTL, click Run Scan, and post a log when it is finished.

Sounds good to me!

Here is the log:

OTL logfile created on: 5/10/2010 11:47:18 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\yo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 62.00% Paging File free
Paging file location(s): D:\pagefile.sys 2956 2956 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 52.41 Gb Free Space | 45.78% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 31.72 Gb Free Space | 27.71% Space Free | Partition Type: NTFS
Drive E: | 539.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LINDAS
Current User Name: yo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/10 11:44:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/11/11 19:04:14 | 001,505,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2009/06/01 14:51:52 | 000,448,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
PRC - [2009/05/26 21:06:32 | 004,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/04/13 20:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PRC - [2007/05/21 10:48:36 | 000,932,944 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2006/08/11 15:56:02 | 000,017,920 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\CTHELPER.EXE
PRC - [2004/11/26 13:42:10 | 000,812,032 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe


========== Modules (SafeList) ==========

MOD - [2010/05/10 11:44:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/08/11 15:56:02 | 000,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAGENT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/04/13 20:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2008/01/13 16:35:23 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2007/08/23 16:05:00 | 000,045,056 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe -- (MagicTuneEngine)
SRV - [2007/05/21 10:48:36 | 000,932,944 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007/01/25 13:31:34 | 000,093,048 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2005/04/04 19:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)
SRV - [2004/11/26 13:42:10 | 000,812,032 | ---- | M] (Ahead Software AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2004/11/26 13:42:10 | 000,812,032 | ---- | M] (Ahead Software AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2002/08/29 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/03/09 23:13:40 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/01/23 02:41:20 | 000,024,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GVTDrv.sys -- (GVTDrv)
DRV - [2008/07/09 09:05:22 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/04/13 15:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 14:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 14:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 14:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 14:46:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/12/05 02:41:00 | 007,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/20 12:09:22 | 000,104,320 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/10/11 12:10:52 | 000,030,008 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007/09/04 19:26:32 | 000,029,696 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev)
DRV - [2007/08/29 04:04:04 | 000,116,264 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3112r.sys -- (SI3112r)
DRV - [2007/08/29 04:04:04 | 000,019,240 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiWinAcc)
DRV - [2007/08/29 04:04:04 | 000,019,240 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2007/05/03 13:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/25 13:31:34 | 000,042,000 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/22 11:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2006/08/28 18:12:04 | 000,013,312 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (NCPro)
DRV - [2006/08/28 18:12:04 | 000,013,312 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (MagicTune)
DRV - [2006/08/11 15:48:52 | 000,061,952 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2006/08/11 15:48:50 | 000,158,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2006/08/11 15:48:42 | 001,170,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEXFIFX.dll -- (CTEXFIFX.DLL)
DRV - [2006/08/11 15:48:32 | 000,548,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ctsblfx.dll -- (CTSBLFX.DLL)
DRV - [2006/08/11 15:48:28 | 000,160,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\cteapsfx.dll -- (CTEAPSFX.DLL)
DRV - [2006/08/11 15:48:12 | 000,536,576 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ctaudfx.dll -- (CTAUDFX.DLL)
DRV - [2006/08/11 15:48:08 | 000,087,552 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\commonfx.dll -- (COMMONFX.DLL)
DRV - [2006/08/11 15:48:06 | 000,317,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2006/08/11 15:45:50 | 000,115,200 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2006/08/11 15:45:40 | 000,269,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2006/08/11 15:45:40 | 000,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2006/08/11 15:45:38 | 000,499,584 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2006/08/11 15:45:28 | 000,180,224 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2006/08/11 15:45:26 | 000,766,976 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2006/08/11 15:45:26 | 000,154,112 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2006/08/11 15:45:24 | 000,116,224 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2006/08/11 15:45:18 | 000,143,872 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2006/08/11 15:45:18 | 000,078,336 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2006/08/11 15:45:14 | 000,502,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/11/10 18:06:04 | 000,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/10/28 17:11:00 | 000,027,648 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iteatapi.sys -- (iteatapi)
DRV - [2004/11/26 13:36:24 | 000,098,176 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2004/11/26 13:36:06 | 000,028,928 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/11/26 08:36:02 | 000,027,648 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2004/05/25 16:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2004/05/25 16:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2004/01/12 10:20:00 | 000,009,600 | ---- | M] (Cygnal Integrated Products) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CygF32x.sys -- (CYGF32X)
DRV - [2003/09/04 08:45:44 | 000,055,144 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\si3112.sys -- (si3112)
DRV - [2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2003/03/19 16:51:00 | 000,018,688 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2001/08/17 15:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/04/04 20:34:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/28 15:49:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/29 12:10:31 | 000,000,000 | ---D | M]

[2009/10/15 11:28:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions
[2009/08/12 21:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/07 20:20:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions
[2009/10/15 11:31:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/07 20:20:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/17 11:26:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/04 11:25:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\yo\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} http://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab (SentinelProxy Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200188651437 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/08/29 08:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{2bfa3ffa-c16e-11dc-9085-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{2bfa3ffa-c16e-11dc-9085-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2bfa3ffa-c16e-11dc-9085-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2002/08/29 08:00:00 | 001,310,720 | R--- | M] (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/10 11:44:49 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/05/10 11:35:11 | 000,201,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTC.exe
[2010/05/07 04:06:34 | 000,110,456 | ---- | C] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2010/05/06 01:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\DoctorWeb
[2010/05/05 01:30:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/04 15:06:19 | 000,000,000 | ---D | C] -- C:\RECYCLER(2)
[2010/05/04 10:04:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 00:59:03 | 000,117,912 | ---- | C] (ESET spol. s r.o.) -- C:\Documents and Settings\yo\Desktop\EMebRemover.exe
[2010/05/01 23:18:22 | 000,278,016 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010/05/01 23:18:22 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/05/01 21:09:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Desktop\SpiderKill
[2010/05/01 13:20:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Desktop\gmer
[2010/04/28 19:47:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/17 11:26:31 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/17 11:26:30 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/17 11:26:30 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/17 11:26:30 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/15 08:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/04/13 17:37:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/13 17:35:41 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/13 17:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\SUPERAntiSpyware.com
[2010/04/12 16:14:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/12 16:13:17 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/12 16:03:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\.SunDownloadManager
[2007/04/09 13:32:58 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/10 11:44:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/05/10 11:37:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/10 11:35:18 | 000,201,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTC.exe
[2010/05/10 10:58:39 | 013,893,632 | ---- | M] () -- C:\Documents and Settings\yo\ntuser.dat
[2010/05/10 04:37:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/10 01:07:05 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/10 01:02:04 | 001,851,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/10 01:01:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/10 01:01:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/09 02:24:39 | 000,208,216 | ---- | M] () -- C:\Documents and Settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/07 10:20:23 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/05/07 10:20:23 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/05/07 10:19:55 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\yo\ntuser.ini
[2010/05/07 10:18:04 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.CDF
[2010/05/07 10:18:04 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.BAK
[2010/05/07 04:16:21 | 000,110,456 | ---- | M] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2010/05/07 00:30:59 | 039,112,800 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\CureIt!.exe
[2010/05/06 01:23:38 | 039,267,408 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\drweb-cureit.exe
[2010/05/04 11:26:18 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/04 11:25:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/04 00:59:07 | 000,117,912 | ---- | M] (ESET spol. s r.o.) -- C:\Documents and Settings\yo\Desktop\EMebRemover.exe
[2010/05/03 00:19:35 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\SystemLook.exe
[2010/05/02 18:31:55 | 000,485,896 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
[2010/05/02 12:03:17 | 000,000,457 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\check.bat
[2010/05/01 23:17:12 | 000,489,984 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/05/01 23:12:31 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\file.bat
[2010/05/01 21:09:34 | 000,113,664 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\SpiderKill.zip
[2010/05/01 13:19:55 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\gmer.zip
[2010/04/30 11:33:28 | 002,145,538 | -H-- | M] () -- C:\Documents and Settings\yo\Local Settings\Application Data\IconCache.db
[2010/04/30 04:20:37 | 000,000,691 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/30 04:20:37 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/16 03:06:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/12 15:19:02 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/10 01:07:41 | 004,958,588 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.CDF
[2010/05/07 00:30:55 | 039,112,800 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\CureIt!.exe
[2010/05/06 01:23:37 | 039,267,408 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\drweb-cureit.exe
[2010/05/05 12:56:08 | 000,000,409 | ---- | C] () -- C:\Documents and Settings\yo\mbr.log
[2010/05/04 09:08:05 | 013,893,632 | ---- | C] () -- C:\Documents and Settings\yo\ntuser.dat
[2010/05/03 00:19:29 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\SystemLook.exe
[2010/05/02 18:31:35 | 000,485,896 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
[2010/05/02 12:03:17 | 000,000,457 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\check.bat
[2010/05/01 23:18:22 | 000,082,944 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/01 23:17:10 | 000,489,984 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/05/01 23:12:31 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\file.bat
[2010/05/01 21:09:32 | 000,113,664 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\SpiderKill.zip
[2010/05/01 13:19:53 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\gmer.zip
[2010/04/14 17:59:44 | 000,384,872 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/28 21:44:10 | 000,000,038 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/02/13 23:28:05 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/07/01 14:46:07 | 000,000,899 | ---- | C] () -- C:\WINDOWS\CadraViewExp.ini
[2008/06/29 09:39:31 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll
[2008/05/09 16:42:24 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/24 00:20:00 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/02/01 21:03:21 | 000,025,339 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/01/14 13:56:19 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS61.DLL
[2008/01/14 12:32:14 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/01/13 19:29:15 | 000,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/01/13 19:29:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/01/13 19:29:15 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/01/13 13:33:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/12 22:24:48 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2008/01/12 20:24:20 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\idecoi.dll
[2008/01/12 15:58:54 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/12/05 02:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 02:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 02:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 02:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/03/12 12:01:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2007/03/09 03:12:32 | 000,027,648 | -HS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/03/06 05:14:48 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/03/06 05:14:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/01/25 13:31:36 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/08/11 15:57:18 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/07/25 14:57:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[2006/05/23 13:40:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/06/16 19:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
< End of report >

Good. Almost done.

Run HaMeb_Check so I can see our progress.

Great! Here it is...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Mon 05/10/2010 at 16:17:43.18

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

What has happened here, is that the infection has been removed. However, the account wants to stay continually active.

The account HelpAssistant has attached itself to your account, so at System log-on, that account runs at the same time you are. So, when you try to delete it, it will just re-appear, because it cannot be deleted while it is still active.

So, the idea is going to be, is to delete it while it is inactive.


Need some more info.

Go to Start > Run
type in cmd and hit OK.

Type this in exactly:

net user helpassistant > log.txt && log.txt


It will launch a log. Please post it, if there is text in the log.

Sounds great....

Ok... here is the log:

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/5/2010 1:32 AM
Password expires Never
Password changeable 5/5/2010 1:32 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Open Notepad and copy/paste the code box below into a new text file.

• Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  
• Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  
• It will open a text file, please copy the content in your next reply.

I ran it, but no text file opened...

Ok.

do this once more and post a log, please:

net user helpassistant > log.txt && log.txt

Alrighty... here it is...


User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/5/2010 1:32 AM
Password expires Never
Password changeable 5/5/2010 1:32 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Good. Now, please reboot your computer twice, and run the Profiles program once more.

I think it is gone now.

Sorry... we've run so much stuff... which one is the Profiles program?

Here. You can probably re-download it.

Download Profiles

• Save it to your desktop.
• Double-click profiles.exe and post its log when you reply

Great, thank you .... here it is


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\yo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

Guess what?

It is gone.

Ready to clean up your computer now of all those tools?

Hmmmm.... lets see.... First post was Sun April 4.... so we've been at this for over 5 weeks now... with 128 Posts... I think I shall pour a glass of wine and toast you for all the help, patience and diligence in getting rid of this thing.

You may not be able to tell, but I am normally the person others come to for tech support.... From hardware to software I've done all kinds of tech support, but this thing had kicked my butt. I had exhausted my resources, and then found this site.

So yes, I'm ready to clean off all the tools, but I just wanted to take a moment to thank you. I truly appreciate you working with me to fix this, and not giving up. Yes, my hat is off to you.

I was able to tell that you were much experienced.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Hi DragonMaster Jay,

I apologize for the delay in posting, I was out of town for a few days...

All final scans have been done. Here is the log from checkup.

Thanks again!

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
Adobe After Effects CS3 Presets
Kaspersky Internet Security 2010
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
Adobe Flash Player 10.0.12.36
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 9.3.2
Mozilla Firefox (3.6.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Kaspersky Lab Kaspersky Internet Security 2010 avp.exe
Kaspersky Lab Kaspersky Internet Security 2010 klwtblfs.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````