http://forums.spybot.info/showthread...mputer-not-own , thanks a bunch for getting back . I apologize for the late reply. I have not reinstalled the router, hopefully will have time this weekend. Would you recommend doing it before or after all this? It's a rootkit, no?
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16526
Run by Lynn at 5:17:09 on 2014-01-24
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Lynn\Downloads\aswMBR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {6C8DB2EC-499B-4897-A784-0E3186C97E9D} - <orphaned>
uRun: [DW7] "c:\program files\the weather channel\the weather channel app\TWCApp.exe"
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect"
StartupFolder: c:\users\lynn\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{547EBCD8-F443-46FF-ACC6-753E28572E1F} : DHCPNameServer = 192.168.1.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lynn\appdata\roaming\mozilla\firefox\profiles\tlx9jl26.default\
FF - prefs.js: browser.startup.homepage - Google.com
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2014-01-24 08:49:32 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b5ecd11e-9713-43a2-8707-17d7647c9b32}\MpKslb67f0fc5.sys
2014-01-24 02:54:24 719224 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b12d2d74-ec4a-4d63-9537-3825f4fd42a7}\gapaengine.dll
2014-01-24 02:48:57 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b5ecd11e-9713-43a2-8707-17d7647c9b32}\mpengine.dll
2014-01-23 02:46:28 719224 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2014-01-23 02:43:04 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-01-23 00:03:00 -------- d-----w- c:\program files\HP
2014-01-23 00:02:46 -------- d-----w- c:\users\lynn\appdata\local\HP
2014-01-17 09:15:36 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-01-17 09:15:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-14 04:34:52 -------- d-----w- c:\program files\Microsoft Security Client
2014-01-14 04:34:10 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2014-01-04 03:45:11 -------- d--h--w- c:\windows\msdownld.tmp
2014-01-04 03:44:58 -------- d-----w- c:\program files\Microsoft
2014-01-04 03:44:19 -------- d--h--w- c:\programdata\Common Files
2014-01-04 03:44:18 -------- d-----w- c:\users\lynn\appdata\local\MFAData
2014-01-04 03:44:18 -------- d-----w- c:\users\lynn\appdata\local\Avg2014
2014-01-04 03:44:18 -------- d-----w- c:\programdata\MFAData
2014-01-04 02:59:06 7760024 ------w- c:\programdata\microsoft\windows defender\definition updates\{f2046fb7-8e4d-4cd5-a893-f7376af4360f}\mpengine.dll
2014-01-04 02:29:36 -------- d-----w- c:\windows\system32\appmgmt
2013-12-31 07:15:54 -------- d-----w- c:\users\lynn\appdata\local\Macromedia
2013-12-30 18:15:54 -------- d-----w- c:\users\lynn\appdata\local\Mozilla
2013-12-30 18:15:12 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-12-28 03:58:12 -------- d-----w- c:\windows\Migration
.
==================== Find3M ====================
.
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
2013-11-14 22:50:50 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42:41 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-30 02:13:01 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12:54 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43:04 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43:06 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35:24 2050560 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 5:17:49.05 ===============
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-01-24 03:49:02
-----------------------------
03:49:02.752 OS Version: Windows 6.0.6002 Service Pack 2
03:49:02.752 Number of processors: 1 586 0x5F02
03:49:02.753 ComputerName: COLLECTIVE UserName: Lynn
03:49:06.048 Initialize success
04:12:13.051 AVAST engine defs: 14012301
04:12:31.886 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000050
04:12:31.910 Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 6
04:12:32.182 Disk 0 MBR read successfully
04:12:32.186 Disk 0 MBR scan
04:12:32.761 Disk 0 Windows VISTA default MBR code
04:12:32.778 Disk 0 Partition 1 00 06 FAT16 9800 MB offset 2048
04:12:32.962 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142825 MB offset 20072448
04:12:33.199 Disk 0 scanning sectors +312578048
04:12:33.465 Disk 0 scanning C:\Windows\system32\drivers
04:13:10.241 Service scanning
04:13:42.161 Service MpKslb67f0fc5 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B5ECD11E-9713-43A2-8707-17D7647C9B32}\MpKslb67f0fc5.sys **LOCKED** 32
04:14:15.469 Modules scanning
04:14:23.761 Disk 0 trace - called modules:
04:14:23.800 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
04:14:24.185 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84c6d528]
04:14:24.206 3 CLASSPNP.SYS[8619d8b3] -> nt!IofCallDriver -> [0x8396de00]
04:14:24.223 5 acpi.sys[8060a6bc] -> nt!IofCallDriver -> \Device\00000050[0x8396e7f0]
04:14:25.924 AVAST engine scan C:\Windows
04:14:28.770 AVAST engine scan C:\Windows\system32
04:20:38.181 AVAST engine scan C:\Windows\system32\drivers
04:21:06.365 AVAST engine scan C:\Users\Lynn
04:35:26.687 AVAST engine scan C:\ProgramData
04:36:01.106 Scan finished successfully
04:36:24.771 Disk 0 MBR has been saved successfully to "C:\Users\Lynn\Desktop\MBR.dat"
04:36:24.825 The log file has been saved successfully to "C:\Users\Lynn\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-01-24 04:55:00
-----------------------------
04:55:00.186 OS Version: Windows 6.0.6002 Service Pack 2
04:55:00.186 Number of processors: 1 586 0x5F02
04:55:00.186 ComputerName: COLLECTIVE UserName: Lynn
04:55:01.247 Initialize success
04:55:46.440 AVAST engine defs: 14012301
04:55:48.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000051
04:55:48.141 Disk 0 Vendor: WDC_WD16 05.0 Size: 152627MB BusType: 6
04:55:48.234 Disk 0 MBR read successfully
04:55:48.234 Disk 0 MBR scan
04:55:48.250 Disk 0 Windows VISTA default MBR code
04:55:48.266 Disk 0 Partition 1 00 06 FAT16 9800 MB offset 2048
04:55:48.281 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142825 MB offset 20072448
04:55:48.297 Disk 0 scanning sectors +312578048
04:55:48.344 Disk 0 scanning C:\Windows\system32\drivers
04:55:55.457 Service scanning
04:56:13.896 Modules scanning
04:56:15.831 Disk 0 trace - called modules:
04:56:15.862 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
04:56:16.377 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84c17030]
04:56:16.377 3 CLASSPNP.SYS[861aa8b3] -> nt!IofCallDriver -> [0x84307b78]
04:56:16.377 5 acpi.sys[806176bc] -> nt!IofCallDriver -> \Device\00000051[0x842d0c90]
04:56:17.001 AVAST engine scan C:\Windows
04:56:18.233 AVAST engine scan C:\Windows\system32
04:58:39.647 AVAST engine scan C:\Windows\system32\drivers
04:58:49.569 AVAST engine scan C:\Users\Lynn
05:10:42.737 AVAST engine scan C:\ProgramData
05:11:10.130 Scan finished successfully
05:15:52.807 Disk 0 MBR has been saved successfully to "C:\Users\Lynn\Desktop\MBR.dat"
05:15:52.838 The log file has been saved successfully to "C:\Users\Lynn\Desktop\aswMBR.txt"