problems getting rid of malicious cookies

[eve.online]

I foolishly installed Privitize VPM an now have a mess. Actually, I don't even know if that was the source of my problem, but it may have been. I completed a removal using SB S&D 2 but I am left with cookies from every tracking site and porn site on the internet that repopulate every time I delete them. (S&D wasn't effective) What can I do to get rid of the source so that it doesn't keep coming back?

DSS Log
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16800
Run by me at 21:52:35 on 2013-03-29
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2814.1702 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxducoms.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
mStart Page = hxxp://searchou.com/?affil=7&uid=db7d2b60-8c3c-11e2-8bcd-001f16fd7d03
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
TB: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
uRun: [Global Registration] "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Organizer Pro] C:\Program Files (x86)\Organizer Pro\AtDem.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [Lexmark 5600-6600 Series] "C:\Program Files (x86)\Lexmark 5600-6600 Series\fm3032.exe" /s
mRun: [atr.exe] <no file>
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{7534CCD2-2C51-4A20-9540-82EDBC5C9D8A} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\035324430333837353735343 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\140707C65602E4564777F627B602336303366333 : DHCPNameServer = 10.0.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\16733616 : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\854414D275966696D23586162796E676 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{81C171C3-4CE2-42E6-AA66-D6B1A6F3A632}\C696E6B6379737 : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs=
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
x64-mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
x64-BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} -
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [lxdumon.exe] "C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe"
x64-Run: [lxduamon] "C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduamon.exe"
x64-Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
.
============= SERVICES / DRIVERS ===============
.
R2 lxdu_device;lxdu_device;C:\Windows\System32\lxducoms.exe -service --> C:\Windows\System32\lxducoms.exe -service [?]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-3-28 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-3-28 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-3-28 168384]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-8-14 240160]
R3 athrusb;Netgear WG111T modded device driver;C:\Windows\System32\drivers\athrxusb.sys [2009-11-29 1037312]
S2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe --> C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxduserv.exe [2010-1-14 29184]
S3 TFsExDisk;TFsExDisk;C:\Windows\System32\drivers\TFsExDisk.sys [2010-3-6 16392]
.
=============== Created Last 30 ================
.
2013-03-30 01:07:50 -------- d-----w- C:\Users\me\AppData\Local\Macromedia
2013-03-28 22:05:41 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-03-28 22:05:25 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-03-28 22:05:16 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-03-26 09:32:21 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D04DAA15-4027-41A0-96E8-3FF986C9CD7A}\mpengine.dll
2013-03-14 01:03:52 -------- d-----w- C:\Users\me\AppData\Roaming\BitTorrent
2013-03-14 00:58:22 -------- d-----w- C:\Users\me\AppData\Local\Torch
2013-03-14 00:22:03 -------- d-----w- C:\ProgramData\CLSoft LTD
2013-03-14 00:21:47 -------- d-----w- C:\ProgramData\MAgoniPicc
2013-03-14 00:21:44 -------- d-----w- C:\ProgramData\InstallMate
.
==================== Find3M ====================
.
2013-01-31 13:15:21 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-31 13:15:21 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-17 05:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 21:53:00.89 ===============

aswMBR Log
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-29 21:56:57
-----------------------------
21:56:57.192 OS Version: Windows x64 6.1.7600
21:56:57.193 Number of processors: 1 586 0x7F02
21:56:57.194 ComputerName: ME-PC UserName: me
21:56:58.779 Initialize success
21:59:51.383 AVAST engine defs: 13032901
22:00:00.365 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
22:00:00.369 Disk 0 Vendor: ST332041 CC44 Size: 305245MB BusType: 3
22:00:00.462 Disk 0 MBR read successfully
22:00:00.466 Disk 0 MBR scan
22:00:00.475 Disk 0 unknown MBR code
22:00:00.496 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
22:00:00.514 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
22:00:00.524 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290807 MB offset 29566976
22:00:00.552 Disk 0 scanning C:\Windows\system32\drivers
22:00:11.254 Service scanning
22:00:34.720 Modules scanning
22:00:34.769 Disk 0 trace - called modules:
22:00:34.800 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
22:00:35.184 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002fa5680]
22:00:35.195 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8002b907b0]
22:00:35.205 5 ACPI.sys[fffff88000e1a781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa8002b909d0]
22:00:36.235 AVAST engine scan C:\Windows
22:00:38.529 AVAST engine scan C:\Windows\system32
22:05:03.820 AVAST engine scan C:\Windows\system32\drivers
22:05:17.472 AVAST engine scan C:\Users\me
22:05:59.301 Disk 0 MBR has been saved successfully to "C:\Users\me\Desktop\MBR.dat"
22:05:59.318 The log file has been saved successfully to "C:\Users\me\Desktop\aswMBR.txt"


I hope you can help. Thanks in advance.

[fbfbfb]

Hello, eve.online.

My name is fbfbfb. I will gladly assist you with your concerns.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice. This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your DDS and aswMBR logs now, and I will post back shortly with instructions.

While working to resolve the issues with your machine, please follow these guidelines:

• Please be patient. Logs are lengthy and can take time to analyze.
• Read and follow my directions carefully, in the sequence they are posted.
• If you are unsure about anything, please ask for clarification before continuing.
• Use only those tools that you have been directed to use.
• Do not install or uninstall any applications or run any other scans without being directed to do so.
• Copy and Paste the log files inside your post. Do not send them as attachments unless otherwise instructed.
• Stay with me until your machine has been deemed all clear.
• Please reply within 3 days to avoid closing this topic.

[fbfbfb]

Hello, eve.online.

Thank you for submitting your DDS log. DDS should have produced a second log named attach.txt and saved it to your desktop. If it is there, please submit this log to me. If you are unable to locate this report, please rerun DDS and submit both reports.

Please run the following scans

1. Rogue Killer

Please download Rogue Killer from HERE.

• Quit all running programs before continuing.
• Double-click roguekiller.exe to run it.
• Wait for the Prescan to finish.
• Click Scan and wait for the scan to complete.

• A report will be created and saved on your desktop.
• Exit the program.

Copy and paste the RKreport.txt report into your next reply.


2. Security Check

Please download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt. This may take a few minutes.

Please copy and paste the contents of that document into your next reply.

[eve.online]

First, Thanks for your help!!

the Security Check report is here:
Results of screen317's Security Check version 0.99.61
Windows 7 x64 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Java(TM) 6 Update 17
Java 7 Update 17
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.5.502.146 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (19.0.2)
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

and the RogueKiller report is here
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : me [Admin rights]
Mode : Scan -- Date : 04/05/2013 13:00:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332041 8AS SCSI Disk Device +++++
--- User ---
[MBR] b435e5ae8313687691ff18e4df5b708f
[BSP] 4bd9425129f5f628c8bdf1d528185e52 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29362176 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29566976 | Size: 290807 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_S_04052013_02d1300.txt >>
RKreport[1]_S_04052013_02d1253.txt ; RKreport[2]_S_04052013_02d1300.txt

When I ran Rogue Killer it prompted to delete the items it found but I did not do that yet. Please let me know if I should go ahead and delete them.

I have attached the attach zip

Thanks Again
E.O

[fbfbfb]

Hello, eve.online.

You're welcome, and thank you for your logs.

Please run the following scans


1. Rogue Killer

Please run Rogue Killer again (double click on roguekiller.exe to start).

Note: Please remove any usb or external drives from the computer and quit any running programs before you run this scan.

• When the scan has completed, click Delete.
• Please copy and paste the RKreport.txt located on your desktop into your next reply.

2. ComboFix

Note: Before you begin, please read through these instructions completely, noting all important messages and warnings.

• Please download ComboFix from HERE or HERE.

Very Important! Save ComboFix.exe to to your Desktop.

• Close all browsers.
• Disable your AntiVirus and AntiSpyware applications as they can interfere with running ComboFix. To disable any security programs:

• Right click on the System Tray icon, or
• Refer to this link HERE for further assistance.

• Double click on ComboFix.exe and follow the prompts.
• When finished, ComboFix will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Warnings:

• Do not mouse-click on ComboFix's window while it is running. This may cause it to stall.
• Do not re-run ComboFix. If problems occur with the installation or running of ComboFix, please reply back for further instructions.
• Do not attempt to surf the internet while ComboFix is scanning.

Note: If there is no internet connection after running ComboFix, reboot your computer to restore the connection.

Very Important! Make sure you re-enable your security programs when ComboFix is finished.

[eve.online]

Ok here is the Combofix report

ComboFix 13-04-06.01 - me 04/06/2013 12:07:14.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2814.1862 [GMT -4:00]
Running from: c:\users\me\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\prefs.js
c:\programdata\SPL7CFA.tmp
c:\programdata\SPLA88.tmp
c:\users\me\Logo.png
c:\users\me\videos\ExpatShield-cnet-DM-232.exe
c:\users\me\videos\mobcoach2.exe
c:\windows\wininit.ini
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-03-06 to 2013-04-06 )))))))))))))))))))))))))))))))
.
.
2013-04-06 16:16 . 2013-04-06 16:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-05 07:16 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EB4B2C6F-BBFA-4BBE-997E-7449DC699B2D}\mpengine.dll
2013-04-01 21:23 . 2013-04-04 16:38 -------- d-----w- c:\users\me\AppData\Roaming\dvdcss
2013-04-01 21:22 . 2013-04-04 16:39 -------- d-----w- c:\users\me\AppData\Roaming\vlc
2013-04-01 21:17 . 2013-04-01 21:17 -------- d-----w- c:\program files (x86)\VideoLAN
2013-03-31 22:56 . 2013-03-31 22:56 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-31 22:56 . 2013-03-31 22:54 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-31 22:56 . 2013-03-31 22:54 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-31 22:55 . 2013-03-31 22:54 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-31 22:45 . 2013-03-31 22:45 -------- d-----w- c:\programdata\McAfee
2013-03-30 01:42 . 2013-03-30 01:42 -------- d-----w- c:\program files (x86)\ERUNT
2013-03-30 01:07 . 2013-03-30 01:07 -------- d-----w- c:\users\me\AppData\Local\Macromedia
2013-03-30 00:48 . 2013-03-30 00:48 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-28 22:05 . 2013-03-30 02:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-03-28 22:05 . 2009-01-25 16:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-03-28 22:05 . 2013-03-28 22:05 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-03-14 01:03 . 2013-04-05 08:55 -------- d-----w- c:\users\me\AppData\Roaming\BitTorrent
2013-03-14 00:58 . 2013-03-14 00:58 -------- d-----w- c:\users\me\AppData\Local\Torch
2013-03-14 00:22 . 2013-03-14 00:22 -------- d-----w- c:\programdata\CLSoft LTD
2013-03-14 00:21 . 2013-03-14 00:33 -------- d-----w- c:\programdata\MAgoniPicc
2013-03-14 00:21 . 2013-03-14 00:33 -------- d-----w- c:\programdata\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 05:10 . 2009-11-30 15:39 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-01-31 13:15 . 2012-04-28 14:02 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-31 13:15 . 2012-04-28 14:02 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Global Registration"="c:\program files (x86)\eMachines\Registration\GREG.exe" [2009-07-31 2844704]
"Organizer Pro"="c:\program files (x86)\Organizer Pro\AtDem.exe" [2005-12-19 32768]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-11-13 3713032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Lexmark 5600-6600 Series"="c:\program files (x86)\Lexmark 5600-6600 Series\fm3032.exe" [2009-05-11 311976]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
c:\users\me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-3-29 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [x]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [2009-10-16 29184]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 1039360]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-13 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-13 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-13 168384]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S3 athrusb;Netgear WG111T modded device driver;c:\windows\system32\DRIVERS\athrxusb.sys [2009-11-29 1037312]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-10 c:\windows\Tasks\eMachines Registration Reminder.job
- c:\program files (x86)\eMachines\Registration\GREG.exe [2009-07-31 06:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"lxdumon.exe"="c:\program files (x86)\Lexmark 5600-6600 Series\lxdumon.exe" [2009-05-11 684712]
"lxduamon"="c:\program files (x86)\Lexmark 5600-6600 Series\lxduamon.exe" [2009-05-11 16040]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1331&r=173611095203p0324v115r4841s22o
mStart Page = hxxp://searchou.com/?affil=7&uid=db7d2b60-8c3c-11e2-8bcd-001f16fd7d03
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - ExtSQL: 2013-03-31 17:52; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-03-31 17:57; jid1-F9UJ2thwoAm5gQ@jetpack; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
FF - ExtSQL: 2013-03-31 21:24; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2013-03-31 21:24; {bed1bcec-57d3-47e1-a32b-b4e5f3003019}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\{bed1bcec-57d3-47e1-a32b-b4e5f3003019}.xpi
FF - ExtSQL: 2013-03-31 21:24; extension@stitcher.com; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\extensions\extension@stitcher.com.xpi
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-atr.exe - (no file)
Notify-SDWinLogon - SDWinLogon.dll
BHO-{3706EE7C-3CAD-445D-8A43-03EBC3B75908} - c:\program files (x86)\Expat Shield\HssIE\ExpatIE_64.dll
Toolbar-Locked - (no file)
AddRemove-InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD} - c:\program files (x86)\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe
AddRemove-{7F811A54-5A09-4579-90E1-C93498E230D9} - c:\program files (x86)\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
AddRemove-{EE171732-BEB4-4576-887D-CB62727F01CA} - c:\program files (x86)\InstallShield Installation Information\{EE171732-BEB4-4576-887D-CB62727F01CA}\setup.exe
AddRemove-{1E8EB086-AE5F-45F6-887C-E5178868290F} - c:\users\me\AppData\Local\{45E721C2-9A3D-4E9E-9572-644CE1F67A8B}\LCSETUP30.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-06 12:22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2013-04-06 16:22
.
Pre-Run: 204,478,431,232 bytes free
Post-Run: 204,486,074,368 bytes free
.
- - End Of File - - 3E5289B2D63DF9B790D39EA455998786


And Here is the Rogue Killer report again:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : me [Admin rights]
Mode : Remove -- Date : 04/06/2013 11:51:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332041 8AS SCSI Disk Device +++++
--- User ---
[MBR] b435e5ae8313687691ff18e4df5b708f
[BSP] 4bd9425129f5f628c8bdf1d528185e52 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29362176 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29566976 | Size: 290807 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4]_D_04062013_02d1151.txt >>
RKreport[1]_S_04052013_02d1253.txt ; RKreport[2]_S_04052013_02d1300.txt ; RKreport[3]_S_04062013_02d1150.txt ; RKreport[4]_D_04062013_02d1151.txt


I did get an error message during bootup but I didn't recognize what it was referring to and I can't remember what it said. It was something about a moving on to the next file. I clicked "no" and the error went away.

Let me know what's next. I really appreciate the help!

[fbfbfb]

Hello, eve.online.

Thank you for the logs.

Please run the following scans

1. Junkware Removal Tool

Please download Junkware Removal Tool from HERE and save it to your desktop.

• Shutdown your antivirus to avoid any potential conflicts.
• Right-mouse click JRT.exe and select Run as Administrator.
• JRTwill begin to backup your registry and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, the log JRT.txt is saved on your desktop and will automatically open.

Post the contents of JRT.txt into your next reply.

2. AdwCleaner

Please download AdwCleaner from HERE.

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on the Delete button.
• A logfile will automatically open after the scan has finished.
• You can also find the logfile at C:\AdwCleaner[S1].txt.

Copy and paste the adwcleaner.txt report into your next reply.

3. Malwarebytes Anti-Malware

Please download Malwarebytes from Here or Here.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan

.

• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please.

4. ESET Online Scanner

Note:

• Disable any antivirus program and antispyware programs to avoid conflicts.
• If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted, then double click on it to install.
• Please do not surf the internet while your security programs are disabled.
• Let the scan run uninterrupted to avoid a stall.
• Remember to enable your security programs when the scan has finished.

Run ESET Online Scanner from HERE.

• Click the green ESET Online Scanner button.
• Read the End User License Agreement and check the box YES, I accept the Terms of Use.
• Click on the Start button next to it.
• If prompted, allow the Add-On/Active X to install.

Under Computer scan settings:

• Do not check Remove found threats
• Check Scan Archives.
• Click Advanced settings and select the following:

• Scan potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology

• Click Start. ESET will download updates, install itself, and begin scanning your computer. Please be patient as this scan could take up to a few hours to complete.
• Wait for the scan to finish. When the scan completes, click List of found threats.
• Click Export and save the file to your desktop using a unique name, such as ESETScan.
• Copy and paste the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

5. Clean Up Temp Files

Please download TFC by OldTimer to your desktop.

• Close any open windows.
• Double click the TFC icon to run the program.
• TFC will close all open programs itself in order to run.
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish.
• Once complete, it should automatically reboot your machine.
• If your computer does not automatically reboot, manually reboot to ensure a complete clean.

SUMMARY: In your next reply, please post the following:

• JRT.txt
• adwcleaner.txt
• MBAM log
• ESET log
• Let me know how your computer is running at this stage.

[fbfbfb]

Hello, eve.online.

Do you still need help?

[eve.online]

Sorry it took so long to run the last batch of scans. I had a deadline and couldn't risk a problem. thanks for your patience.

here is the latest batch of scans. the only problem I ran into was the last scan TFC which stalled the two times I tried to run it, the first time I forgot to run it as administrator so when it stalled I aborted and ran it as admin and it stalled again.

Thanks
E


eset scan
C:\$RECYCLE.BIN\S-1-5-21-1342298365-2549134341-3604237475-1000\$RNN9NU2.exe Win32/InstalleRex.I.Gen application
C:\Users\me\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljidpgmdpigjjgieiifpdpkhcbabgabb\1\51411f9b31a0d4.61490956.js Win32/Adware.MultiPlug.H application
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-2600181b a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-31f26178 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-3f8f007b a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-49778fb3 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-534bcfd7 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\74558a21-59ae07b3 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\fc6cc7a-6e9f197b Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\me\Downloads\cnet2_DoubleCAD-XT-3-1_exe.exe a variant of Win32/InstallCore.D application


Junkware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.3 (04.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by me on Sat 04/13/2013 at 13:43:37.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\startsearch
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\sprotector
Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\sp global
Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\sprotector
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\clsoft ltd"
Successfully deleted: [Folder] "C:\ProgramData\installmate"
Successfully deleted: [Folder] "C:\Users\me\appdata\local\torch"
Successfully deleted: [Folder] "C:\Users\me\appdata\locallow\adawaretb"



~~~ FireFox

Successfully deleted: [File] "C:\Users\me\AppData\Roaming\mozilla\firefox\profiles\bvhir24s.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi"
Successfully deleted: [Folder] C:\Users\me\AppData\Roaming\mozilla\firefox\profiles\bvhir24s.default\jetpack
Emptied folder: C:\Users\me\AppData\Roaming\mozilla\firefox\profiles\bvhir24s.default\minidumps [9 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 04/13/2013 at 13:58:18.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adw Cleaner

# AdwCleaner v2.200 - Logfile created 04/13/2013 at 14:02:16
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : me - ME-PC
# Boot Mode : Normal
# Running from : C:\Users\me\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16800

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\bvhir24s.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\me\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.14.1738.0

File : C:\Users\me\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1342 octets] - [13/04/2013 14:00:25]
AdwCleaner[S1].txt - [1279 octets] - [13/04/2013 14:02:16]

########## EOF - C:\AdwCleaner[S1].txt - [1339 octets] ##########

and finally MalwareBytes

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.13.04

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
me :: ME-PC [administrator]

4/13/2013 2:08:02 PM
mbam-log-2013-04-13 (14-08-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215610
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\MAgoniPicc\51411f9b31c4a.dll (Adware.MultiPlug) -> Quarantined and deleted successfully.

(end)

[fbfbfb]

Hello, eve.online.

Thank you for your logs. If you require more response time while we work to clean your system, please drop me a quick note so that we do not close this thread.

Please continue with the following tasks

1. Show Hidden System Files and Folders

Some of the files and folders we need to delete are hidden and need to be shown before they can be removed. Do the following:

• Click Start, then click Control Panel.
• Locate and double-click Folder Options.
• Click on the View tab.
• Under the Advanced Settings section, please do the following:

• Under Hidden files and folders, check Show hidden files, folders, or drives.
• Uncheck Hide file extensions for known file types.
• Uncheck Hide protected operating system files (Recommended) . When the warning message appears, click YES.
• Click Apply > OK.

2. Empty Recycler Folder

• Empty the Recycle Bin on your desktop.
• Close all running programs.
• Click Start > Computer .
• Double click Local Disk (C) > Scroll down to and double click the Recycler folder.
• Double click the following Recycle bin to show the contents:

S-1-5-21-1342298365-2549134341-3604237475-1000

• Click Edit > Select All.
• Click File > Delete.
• Exit all windows.

3. Hide System Files and Folders

We need to rehide the system files and folders to keep them from being accidentally changed or deleted. Do the following:

• Click Start, then click Control Panel.
• Locate and double-click Folder Options.
• Click on the View tab.
• Under the Advanced Settings section, please do the following:

• Under Hidden files and folders, uncheck Show hidden files, folders, or drives.
• Check Hide file extensions for known file types.
• Check Hide protected operating system files (Recommended) . When the warning message appears, click YES.
• Click Apply > OK.

4. Clear Java Cache

• Click Start and select Control Panel.
• In Classic View, double-click the Java Icon (coffee cup symbol)
• Under Temporary Internet Files, click Settings.
• Click the Delete Files button.
• There are two options in the window to clear the cache. Leave both of these unchecked:

• Applications and Applets
• Trace and Log Files

• Click OK on Delete Temporary Files Window.

Note: This deletes all the Downloaded Applications and Applets from the cache.

• Click OK to exit the Temporary Files Settings.
• Click OK to exit the Java Control Panel.

5. Delete Extension(s) in Google Chrome

To completely remove the following extension from your browser, do this:

• Open Google Chrome.
• Click the Chrome menu on the browser toolbar (symbol of 3 horizontal lines).
• Go to Settings.
• Click Extensions in the pop-up menu.
• From the list of installed Extensions, find the following extension:

ljidpgmdpigjjgieiifpdpkhcbabgabb\1\51411f9b31a0d4.61490956.js

• Click on the trash can icon to the right of Enable.
• Close your browser completely and reopen it. The toolbar extension should no longer appear in your Chrome browser.

6. Reset Your Home Page and Default Search Engine

Removing the toolbars may have changed your browser settings (homepage, default search engines). If so, please follow the instructions found HERE.

7. Clean Temp Files with CCleaner

Since you were unable to run TFC, try this cleaner instead.

• Download CCleaner from HERE.
• Double click on the file to begin the installation.
• Select your language > Click OK > Click Next.
• Read the license agreement > click I Agree.
• Click Next to use the default install location > Click Install > Finish.
• Double click the CCleaner shortcut on the desktop to start the program(only if you do not want them deleted.)

Note: If you use Firefox, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

• Click on the Options icon (left side) > Click Advanced.
• Deselect Only delete files in Windows Temp folders older than 48 hours.
• Click on the Cleaner icon (left side) > Click Run Cleaner.
• Click Exit when finished.

Please run DDS again and send me a fresh log. Are there any other issues we need to address?