This is my HJT! Log. Lots of issues with this malware. Loads into memory so Avast! can’t get rid of it even at a boot time scan. Stuck in lsass.exe and a few other programs. Like 5 that refuse to be cleaned. Any advice?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:19 PM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\b\Virus Bullshit\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O18 - Filter hijack: text/html - {adb3f550-d422-41b0-8873-0ae43c409a7c} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

Also, I have a couple redirect keys I can’t find that are redirecting my search links on google.

An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
If nothing follows the “,”-sign, you can consider it as safe. Unfortunately, there is the same listing after the comma. The Userinit value specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from. It should be noted that the Userinit and the Shell F2 entries will not show in HijackThis unless there is a non-whitelisted value listed.

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
Unnecessary (deactivated) entry that can be fixed. The entry Run IMVU has been identified as safe.

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed. The entry Messenger has been identified as safe.

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed. The entry Messenger has been identified as safe.

O18 - Filter hijack: text/html - {adb3f550-d422-41b0-8873-0ae43c409a7c} - (no file)
Unknown entry. No research results. Unnecessary (deactivated) entry that can be fixed.

I can not give the running processes as that analysis site is down at this time.

O18 - Filter hijack: text/html - {adb3f550-d422-41b0-8873-0ae43c409a7c} - (no file)

Reappeared after fix. I took care of the other three, and changed the registry key of userinit to where it doesn’t have the comma or extra line of userinit.

EDIT: Updated HJT! Log, and I’ll post a log from a previous full scan from Avast!
c:\windows\system\hpsysdrv.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\b\Virus Bullshit\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O18 - Filter hijack: text/html - {adb3f550-d422-41b0-8873-0ae43c409a7c} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

Try running these 2 progs,and see what they throw up, quick scans will do.Then post the logs

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

http://i6.photobucket.com/albums/y246/Sohwillkill/untitled-2.png

Link to a SS of what Avast! came up with on the most thorough scan settings.

MBAM report:
Malwarebytes’ Anti-Malware 1.39
Database version: 2425
Windows 5.1.2600 Service Pack 3

7/14/2009 12:52:29 PM
mbam-log-2009-07-14 (12-52-22).txt

Scan type: Quick Scan
Objects scanned: 109521
Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) → No action taken.
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) → No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) → No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) → No action taken.

Files Infected:
c:\WINDOWS\system32\UACwibphxnsphibsiche.dll (Trojan.TDSS) → No action taken.
c:\WINDOWS\Temp\UAC1d76.tmp (Trojan.TDSS) → No action taken.
c:\WINDOWS\Temp\UACd939.tmp (Trojan.TDSS) → No action taken.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) → No action taken.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) → No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) → No action taken.
C:\Documents and Settings\HP_Administrator\iexplore.exe (Trojan.Agent) → No action taken.
c:\WINDOWS\system32\SKYNETmfdktaxm.dat (Trojan.Agent) → No action taken.
c:\WINDOWS\system32\SKYNETtbirqpof.dat (Trojan.Agent) → No action taken.
c:\WINDOWS\system32\UACvssgxfbfoasvhwhxj.dll (Trojan.Agent) → No action taken.
c:\WINDOWS\system32\UACyntpwyapqveuunmgn.dll (Trojan.Agent) → No action taken.

Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

The TDSS is a rootkit which is basically hiding the other elements I believe.

Once you have run MBAM again and got rid of these run SAS again as it may have been reporting some things removed by MBAM, post the log (attach the log file, easier than copy and paste or images) and then run an avast scan.

I don,t think you have a chance of removing these with MBAM, they will return on reboot.They are protected by the rootkit. ( as David said )Once that or they are gone, the rest will able to be deleted.
Please read the link ( which is from a mod at MBAM ) Run rootrepeal and post the log,then we can have a good luck for the UAC sys file in the drivers http://www.malwarebytes.org/forums/index.php?showtopic=12709
Your pc is infested

MBAM has some updates recently to improve the removal of rootkits, so I don’t know how the latest version will fare in this case. These updates are after this topic so it will be interesting to see if the new updates make the topic out of date.

Plus in this case MBAM has been able to be installed and is running, so we will have to see how Poop_Face gets on, but his system is as you say ‘is infected’ heavily.

I will do a thorough Avast! Pro scan this evening during sleep and post it in the morning, it takes a couple hours to do. This is what I have so far though.

7/14/2009 6:32:43 PM
mbam-log-2009-07-14 (18-32-43).txt

Scan type: Quick Scan
Objects scanned: 108305
Time elapsed: 10 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nothing found with MBAM.

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/07/14 18:43
Program Version: Version 1.3.2.0
Windows Version: Windows XP Media Center Edition SP3

Hidden/Locked Files

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\hp_administrator\local settings\temp~df356d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp~dfbdb.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp~dfdff7.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Biodome (1996) - DVD Rip - XVID - 16x9 - High Quality - 1024x576 - EMPERORDYNAMITE - Demonoid -\Biodome (1996) - DVD Rip - XVID - 16x9 - High Quality - 1024x576 - EMPERORDYNAMITE - Demonoid -.avi
Status: Locked to the Windows API!

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\34c3c096d01
Status: Size mismatch (API: 59298, Raw: 16384)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\385f4abcd01
Status: Size mismatch (API: 81920, Raw: 49152)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\45df69bbd01
Status: Size mismatch (API: 49152, Raw: 32768)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\5c2b21d4d01
Status: Size mismatch (API: 32768, Raw: 16384)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\652b991fd01
Status: Size mismatch (API: 114688, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\763b453bd01
Status: Size mismatch (API: 30104, Raw: 16384)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\f89a237bd01
Status: Size mismatch (API: 45631, Raw: 16384)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache_cache_001_
Status: Size mismatch (API: 364931, Raw: 359909)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache_cache_002_
Status: Size mismatch (API: 345749, Raw: 341023)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache_cache_003_
Status: Size mismatch (API: 910893, Raw: 881683)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\i81vgkaw.default\cache\9783ebeed01
Status: Size mismatch (API: 65536, Raw: 32768)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache\0EDF785Cd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache\5E53DC8Fd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache\977F067Cd01
Status: Visible to the Windows API, but not on disk.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2009 at 07:07 PM

Application Version : 4.26.1006

Core Rules Database Version : 3992
Trace Rules Database Version: 1932

Scan type : Quick Scan
Total Scan Time : 00:21:46

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 491
Registry threats detected : 0
File items scanned : 13625
File threats detected : 23

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@realmedia[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media6degrees[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statcounter[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@insightexpressai[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@specificclick[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adrevolver[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@socialmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.bridgetrack[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@247realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@oasn04.247realmedia[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@zedo[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media.adrevolver[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@qnsr[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@doubleclick[4].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@collective-media[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adbrite[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cdn4.specificclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@specificmedia[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@aff.primaryads[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@network.realmedia[1].txt

Presumably you allowed MBAM to Remove the selected files which were found in the first MBAM log ?

As nothing was found in the subsequent MBAM.

The RootRepeal scan, I’m non too familiar with but do you always run under the hp_administrator account ?

Path: c:\documents and settings\hp_administrator\local settings\temp~df356d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp~dfbdb.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp~dfdff7.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

I would suggest clearing ‘all’ temp folders and also the browser cache before doing scans like this as it just means additional scanning for what are effectively temporary items. This would probably get rid of all these file size miss match things, which in this instance I don’t think are an issue.

Can you also reboot the computer and run another MBAM scan and post any findings

So the attached img is the scan results from Avast! Neither SAS or MBAM detect anything else. Not sure where to go from here.

Anybody suggested a boot time scan with avast!?

(Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.))

Already done it. About six times actually. Same results, it gets “rid” of them but they’re always there on reboot.

I hope you have backups of important files
How to Use the Fdisk Tool and the Format Tool to Partition or Repartition a Hard Disk
http://www.google.ca/search?hl=en&q=how+to+use+format.com&meta=&aq=4&oq=how+to+use+Format

Also, two others were detected during a SAS scan. One win32SMART trojan, the other a generic.