Ruthless Cyber-Thugs - Help needed.

[Lame Gamer]

I was hacked by a ruthless pack of cyber-thugs - social networking gamers on Facebook. They even 'autographed' NT user dat files that I found hidden in temp directories. Since then, I've rolled my system back to the factory state 3 times. But, whatever they've done has changed the way my operating system installs. There are remote connections I can't get rid of, I'm locked out of system files, mysterious programs loading quietly in the background, and I can't seem to stop it. After this last factory reset, which included a complete format of all but recovery partition, while physically disconnected the internet... these programs are still installing themselves before the set up process is even complete, and I don't have 'permission' to get rid of them.

This is just one personal computer in my home - should not be connected to any networks, homegroups, workgroups. There should be no shared files. Before the last installation - my desktop was shared, my docss and settings were shared... and I couldn't unshare any of it. Not sure how to fix this. Any help would be greatly appreciated. The Erunt will only run once, but if I try to run it again... it produces errors, saying I'm not authorized. Here's my latest DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Leslie at 3:01:04 on 2011-09-05
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2734 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\16.7.0.30\InstStub.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\IPSBHO.DLL
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
TCP: Interfaces\{189A7EA4-E3E5-4BEB-805A-E0A751964664} : DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\CoIEPlg.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO-X64: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
BHO-X64: Google Dictionary Compression sdch - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
.
============= SERVICES / DRIVERS ===============
.
R2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [2009-11-24 117640]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-24 240160]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2009-11-24 332272]
.
=============== Created Last 30 ================
.
2011-09-05 09:59:51 -------- d-----w- C:\Windows\NAPP_Dism_Log
2011-09-05 08:48:18 -------- d-----w- C:\ERUNT
2011-09-05 08:42:44 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{77A5DAAC-8DC6-49F9-B9B8-C4A270EF2173}\mpengine.dll
2011-09-05 08:42:43 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-09-05 08:29:31 -------- d-----w- C:\Users\Leslie\AppData\Local\Google
2011-09-05 08:28:52 -------- d-----w- C:\Users\Leslie\Tracing
2011-09-05 08:28:24 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-09-05 08:28:24 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-09-05 08:28:02 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-09-05 08:27:16 -------- d-----w- C:\Program Files (x86)\Microsoft
2011-09-05 08:26:58 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2011-09-05 08:26:02 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DSETUP.dll
2011-09-05 08:26:02 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DXSETUP.exe
2011-09-05 08:26:02 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\dsetup32.dll
2011-09-05 08:25:30 141402440 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlcCE65.tmp
2011-09-05 08:25:20 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-09-05 08:22:05 2868736 ----a-w- C:\Windows\explorer.exe
2011-09-05 08:22:05 2613248 ----a-w- C:\Windows\SysWow64\explorer.exe
2011-09-05 08:20:31 92160 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-09-05 08:20:31 92160 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-09-05 08:19:41 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-09-05 08:19:41 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-09-05 08:19:05 46592 ----a-w- C:\Windows\System32\msasn1.dll
2011-09-05 08:19:05 34816 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-09-05 08:16:11 1320960 ----a-w- C:\Windows\SysWow64\CertEnroll.dll
2011-09-05 08:16:10 71168 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-09-05 08:16:10 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-09-05 08:16:10 293888 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-09-05 08:16:10 1975296 ----a-w- C:\Windows\System32\CertEnroll.dll
2011-09-05 08:16:10 108544 ----a-w- C:\Windows\SysWow64\t2embed.dll
2011-09-05 08:16:09 982600 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-09-05 08:16:09 148480 ----a-w- C:\Windows\System32\t2embed.dll
2011-09-05 08:16:09 100864 ----a-w- C:\Windows\System32\fontsub.dll
2011-09-05 08:16:08 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2011-09-05 08:16:07 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
2011-09-05 08:15:53 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2011-09-05 08:15:53 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2011-09-05 08:15:19 -------- d---a-w- C:\book
2011-09-05 08:14:51 -------- d-----w- C:\Users\Leslie\AppData\Local\VirtualStore
2011-09-05 08:13:04 -------- d-----w- C:\ProgramData\OEM_E471269A730D
2011-09-05 08:13:01 -------- d-----w- C:\Program Files (x86)\OEM
.
==================== Find3M ====================
.
2011-09-05 09:08:49 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
.
============= FINISH: 3:01:25.84 ===============

[Scolabar]

Hi Lame Gamer,

Firstly, welcome to Safer Networking.
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.

I am currently working under the guidance of teachers, everything I post to you, will need to be reviewed by them.
This additional review process can add some extra time to my responses, but hopefully not too much.

Please note the following important guidelines before proceeding:

1. The instructions that will be provided are for YOUR computer and system only!
   Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
2. If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
3. Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
4. Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
   Absence of symptoms does not necessarily mean that everything is clear.
5. DO NOT run any other fix or removal tools unless instructed to do so!
6. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
7. Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
9. Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) where the conditions for receiving help here are explained.

Vista - W7 Advice:
Please Note: The programs I ask you to use will need to be run in Administrator Mode.
In order to do this Right-click on the program file and select the Run as Administrator option.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
If prompted, please click on the Allow button.
Reference: User Account Control (UAC) and Running as Administrator

Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

• Backup Your Data - Windows 7

If you follow these guidelines, things should proceed smoothly.
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar

[Lame Gamer]

Thank you. Just letting you know I'm still here.

I should probably mention a couple things... I found a bunch of strange computers connected to my system again, who seem to belong to this gaming group on Facebook. In the process of trying to get rid of them, my internet access was disabled for a while. I haven't run any fixes, but I downloaded/ran some of the diagnostic tools, added Spybot S&D, and Avast's free antivirus since then... I'm wondering if you need me to post fresh DDS logs?

Also, I don't own a printer... but can access any instructions online via my G4 phone. I'll wait to hear back from you, and appreciate the help.

Leslie

[Lame Gamer]

Thank you. Just letting you know I'm still here.

I should probably mention a couple things... I found a bunch of strange computers connected to my system again, who seem to belong to this gaming group on Facebook. In the process of trying to get rid of them, my internet access was disabled for a while. I haven't run any fixes, but I downloaded/ran some of the diagnostic tools, added Spybot S&D, and Avast's free antivirus since then... I'm wondering if you need me to post fresh DDS logs?

Also, I don't own a printer... but can access any instructions online via my G4 phone. I'll wait to hear back from you, and appreciate the help.

Leslie

P.S. I backed up all my personal files to DVD prior to wiping out my hard drive. The USER files on this computer, that Windows 7 would be backing up are corrupted; er ah... 'autographed' by the people who hacked into my computer, so not sure I want to back those up. I did take screenshots of some of those altered system files, in cases where I could identify the author. (Yes, I know this probably seems weird. Not sure if I'm dealing with amateur hackers or professionals. Either way, this has not been fun.)

[Lame Gamer]

Sorry. Just noticed that my 'recovery partition' is listed in the storage snap in as 100% free space. Not sure why. I did make a system recovery disk, not sure if that will be corrupted or not, but made one anyway. Going to bed for now, but will check back here when I wake up.

[Lame Gamer]

Every time I turn my computer on now, I find things are getting worse. Its now telling me...not to power off, installing update 80 of 113. The only thing I've done since waking up today was try to view some of the pictures I had saved to dvd...which just caused the system to hang. It acted like it was trying to reformat so I ejected it...went to restart. Now its installing a million updates. :(

[Lame Gamer]

Sorry, not sure what to do since I haven't heard back from you since your first reply. But, since my computer keeps modifying itself spontaneously... I'm just going ahead with posting a fresh DDS log now. Just to remind you - the only two programs I've personally installed since the first logs are the avast antivirus, and spybot S & D. The really strange stuff appears on the other 'attach' log... which I'm not sure how to attach here. (i.e....The C++, google toolbar notifier, XML editors, script helpers, and other bazaar programs that have 'installed themselves' since the last 'factory' install - I have no clue what they are, and no idea where they came from.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Leslie at 16:28:39 on 2011-09-07
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2332 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
TCP: Interfaces\{189A7EA4-E3E5-4BEB-805A-E0A751964664} : DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-6 44768]
R2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-9-5 1153368]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-24 240160]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-5 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-5 136176]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-09-07 22:22:31 607260 ------r- C:\dds.com
2011-09-07 18:57:35 -------- d-----w- C:\Windows\SysWow64\Wat
2011-09-07 18:57:35 -------- d-----w- C:\Windows\System32\Wat
2011-09-07 18:25:14 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-09-07 18:25:14 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-09-07 18:06:30 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-09-07 18:06:30 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-09-07 18:06:30 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-09-07 18:06:30 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-09-07 18:06:30 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-09-07 18:06:30 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-09-07 18:06:30 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-09-07 18:06:30 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-09-07 18:06:30 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-09-07 18:06:30 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-09-07 18:01:33 -------- d-----w- C:\Windows\PCHEALTH
2011-09-07 17:54:34 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-09-07 17:54:01 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2011-09-07 17:19:56 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-09-07 17:18:56 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-09-07 17:17:59 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-09-07 17:13:37 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2011-09-07 17:13:36 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2011-09-07 17:12:35 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-09-07 17:12:33 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-09-07 17:12:33 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-09-07 02:39:26 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-09-07 02:39:25 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-09-07 02:39:25 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-09-07 02:39:25 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-09-07 02:22:00 -------- d-----w- C:\Users\Leslie\LocaleMetaData
2011-09-06 02:20:22 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-06 02:20:20 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-06 02:19:54 41184 ----a-w- C:\Windows\avastSS.scr
2011-09-06 02:19:42 -------- d-----w- C:\ProgramData\AVAST Software
2011-09-06 02:19:42 -------- d-----w- C:\Program Files\AVAST Software
2011-09-06 00:13:39 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-09-05 22:34:23 -------- d-----w- C:\Users\Leslie\AppData\Roaming\Safer Networking
2011-09-05 22:34:06 -------- d-----w- C:\Program Files (x86)\Safer Networking
2011-09-05 22:28:52 -------- d-----w- C:\Users\Leslie\AppData\Local\ElevatedDiagnostics
2011-09-05 22:20:10 -------- d-----w- C:\Users\Leslie\AppData\Local\Diagnostics
2011-09-05 11:12:12 -------- d-----w- C:\Program Files (x86)\ESET
2011-09-05 10:52:05 294400 ----a-w- C:\exeHelper.com
2011-09-05 10:37:43 -------- d-----w- C:\unhide
2011-09-05 10:13:09 -------- d-----w- C:\rk5
2011-09-05 10:12:31 -------- d-----w- C:\rk4
2011-09-05 10:11:45 -------- d-----w- C:\rk3
2011-09-05 10:11:09 -------- d-----w- C:\rk2
2011-09-05 10:06:14 -------- d-----w- C:\rk1
2011-09-05 09:59:51 -------- d-----w- C:\Windows\NAPP_Dism_Log
2011-09-05 09:10:44 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-09-05 09:10:44 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-09-05 08:48:18 -------- d-----w- C:\ERUNT
2011-09-05 08:42:44 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{77A5DAAC-8DC6-49F9-B9B8-C4A270EF2173}\mpengine.dll
2011-09-05 08:42:43 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-09-05 08:29:31 -------- d-----w- C:\Users\Leslie\AppData\Local\Google
2011-09-05 08:28:52 -------- d-----w- C:\Users\Leslie\Tracing
2011-09-05 08:28:24 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-09-05 08:28:24 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-09-05 08:27:16 -------- d-----w- C:\Program Files (x86)\Microsoft
2011-09-05 08:26:02 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DSETUP.dll
2011-09-05 08:26:02 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DXSETUP.exe
2011-09-05 08:26:02 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\dsetup32.dll
2011-09-05 08:25:20 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-09-05 08:19:41 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-09-05 08:19:41 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-09-05 08:19:05 46592 ----a-w- C:\Windows\System32\msasn1.dll
2011-09-05 08:19:05 34816 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-09-05 08:16:11 1320960 ----a-w- C:\Windows\SysWow64\CertEnroll.dll
2011-09-05 08:16:10 1975296 ----a-w- C:\Windows\System32\CertEnroll.dll
2011-09-05 08:15:19 -------- d---a-w- C:\book
2011-09-05 08:14:51 -------- d-----w- C:\Users\Leslie\AppData\Local\VirtualStore
2011-09-05 08:13:04 -------- d-----w- C:\ProgramData\OEM_E471269A730D
.
==================== Find3M ====================
.
2011-09-06 00:13:39 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-09-05 09:08:49 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 05:14:10 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-07-09 04:30:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-21 06:27:14 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 09:58:31 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 09:58:31 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 09:04:46 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 09:04:46 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 09:04:46 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 09:04:46 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 09:04:46 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 02:56:44 3134464 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 16:29:39.52 ===============

[Scolabar]

Hi Lame Gamer,

Thank you again for your patience.

Please read these instructions carefully before executing and perform the steps, in the order given.
lf you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Sensitive Data Query

I understand from what you have said that this computer has been seriously compromised, as a result of which you have attempted to remedy the situation by restoring the computer to the factory default state.
Please confirm whether or not this computer has been used to hold any sensitive, personal data. If so:

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft
  and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
• From a clean computer, change all your passwords
  (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
  Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Step 2:
Computer Access Query

Please confirm whether or not you have access to another computer (- a friend's or neighbour's computer) that you can use to download the the tools I will be asking you to use.

Step 3:
Rkill

Firstly we will try to stop any active rogue processes that may interfere with the cleanup attempt:

1. Please download Rkill by Grinler. Save it to your Desktop.
   Alternate download links are available as follows: Two, Three or Four.
   Note: If your security software warns about Rkill, please ignore and allow the download to continue.
2. Double-click on the Rkill Desktop icon.
   Vista - W7 users: Right-click on the Rkill Desktop icon and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
3. A command window will open then disappear upon completion, this is normal.
   
   • If this does not happen, delete the file, then download and use the next alternative link provided.
   • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
   
   Do not reboot your machine until asked to do so. If no version of Rkill would run, please let me know.
4. When finished, Notepad will open with a log file, automatically saved at C:\rkill.log.
5. Copy and Paste the entire contents of the rkill.log file into your next reply.
   Note: Please leave Rkill on the Desktop unless instructed otherwise.

Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.

Step 4:
RSIT (Random's System Information Tool)

Let's run RSIT to see if this tool can uncover some more information about the computer problems you have been experiencing.

Please download RSIT by random/random and save it to your Desktop.

1. Double-click on RSITx64.exe to run the program. Read the disclaimer and then click on the Continue button.
   Vista - W7 users: Right-click RSITx64.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
2. RSIT will start running.
3. When the program has finished two logs files will automatically open in Notepad:
   
   • log.txt <-- Will be opened, maximized.
   • info.txt <-- Will be minimized on task bar.
4. Please Copy and Paste the entire contents of both log.txt and info.txt files into your next reply.
   Note: These logs can be lengthy, so post 1 log per reply please.

Step 5:
aswMBR - Scan

1. Please download aswMBR.exe © Avast Software ( 511KB ) and Save it to your Desktop.
2. Double-click on aswMBR.exe to run the program.
   Vista - W7 users: Right-click on aswMBR.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
3. Click on the Scan button to start the scan.
4. On completion of the scan the following message will be displayed: "Scan finished successfully". Click on the Save log button.
5. You will be prompted to save a file named aswMBR.txt. Save it to your Desktop.
6. Please Copy and Paste the contents of aswMBR.txt into your next reply.

Please Note: A file will be created and placed on your desktop when you execute aswMBR, named MBR.dat. This is a copy of your MBR record, before any changes are made, it can be used to recover the MBR record to it's previous condition, if problems exist after changes.

Step 6:
Include in Next Post

1. Did you have any problems carrying out the instructions?
2. Has the computer has been used to hold any sensitive, personal data at any point?
3. Do you have access to another computer (- either a friend's or neighbour's)?
4. rkill.log.
5. log.txt.
6. info.txt.
7. aswMBR.txt.
8. Do you have the original Windows installation media for your PC?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

[Lame Gamer]

Sooo relieved to hear from you, thanks so much for trying to help me with this.

Mostly, I've left this computer off over the last couple days - with internet access physically disconnected. Using my mobile phone to check this thread for replies. I already have rkill saved to disk... Need to download the others.

And, technically.... I don't have access to another pc right now - although I could put my old one back together. (I took it apart after I got this one.) The thing is... there is personal info on that hard drive. Since I don't really understand how these people are connecting to my system in the first place, I'm paranoid about hooking the other one back up right now. I've already backed up everything I'd wanted to save from this infected machine - would just need to download the other tools you want me to try from the internet. I could save those to dvd, then disconnect from the Ethernet adapter before I run them.

But...erm, how would I post the logs here. Lol.

More coffee is needed. Let me charge up my mobile batteries while I figure something out.

[Lame Gamer]

Okay. I pieced together a second system here, using parts of 'retired' computers which were just taking up closet space.

So in summary - here's where I'm at:

You said: Step 6/Include in Next Post:

a) Did you have any problems carrying out the instructions?
Not so far. Will let you know how the rest goes...

b) Has the computer has been used to hold any sensitive, personal data at any point?
Yes, but nothing that would include bank account numbers. I mostly used that system just for gaming, and emailing pictures to my mom. I've changed my Facebook passwords already, and saved anything I wanted to keep to DVD. (Not sure if anything I saved to DVD could start this all over again or not...

c) Do you have access to another computer (- either a friend's or neighbour's)?
I do now. (Even though, this second PC is connected through the same internet connection as the other one was - but the infected PC is no longer online, and will be kept totally isolated from this alternate system unless it gets fixed. )

d) I'll download rkill, RSIT, and aswMBR next; save those to disks. Will post the following logs after I've run those...
rkill.log.
log.txt.
info.txt.
aswMBR.txt.

e) Do you have the original Windows installation media for your PC?
hmmm. Yes and no.
The infected computer did not come with recovery disks. I had to make those myself. (and it's possible the computer was already compromised when I did that - not sure) Supposedly there is a 'recovery partition' too.

The thing is, both ways (recovery disks and recovery partition) have produced the same results so far... which was NOT like the factory state at all. Not sure how that was possible, but that's what kept happening. It was as if the process of actually restoring the PC to the factory state was re-routed somehow, and all this other junk I was trying to get rid of was restored right along with it. Besides that... the so-called 'recovery partition' is most recently listed as '100% Free space' in the disk management snap-in. lol. (I won't pretend to understand why - I just don't remember it being listed that way before.)

Therefore, I can't promise that the recovery disks or the recovery partition will function as intended. I also made a 'repair disk' via one of the control panel options inside Window 7 - (post infection, for sure) which I have not tried. (The other 'recovery' disks were created using the eMachines application. Those appear to be borked, IMHO... I have the option to remake those, if you think it would help.. at any point during the cleaning process?)

Again... thanks so much for your help with this. I had completely run out of ideas to try by the time I left this post here.