• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

braviax plus more

B

breakawayjade

New member
God help me, my computer got infected with the braviax virus or whatever, it took me two weeks to find something to remove it but in the meantime it downloaded everything under the sun including virtuemonde and smithfraud and something called fraudantimalware or somethign like that. either way everytime i run a scan on my comp the same things pop up and ill get rid of some of them but itll say i need to do i restart and scan to fix it but it never does. Everytime i rescan about 7 or 8 more new things pop up. its so bad now that my computer is shutting down on its own. teatimer is nonstop bringing up stuff to get my approval or deny on and ive denied so many things that i dont even know what im denying. everything seems to be hitting or coming from system32 and thats all that im getting asked for approvals on. Im not on my computer now because i cant seem to keep internet explorer open long enough to bring this page up. someone help!
 
Hello breakawayjade

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.



Download Trendmicros Hijackthis to your desktop.
  • Double click it to install
  • Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


If you can't do this in Safemode, then try downloading both these programs on a known clean computer and copy them to a CD or Thumbdrive and transfer them to the infected computer and run Malwarebytes first, don't worry about updating it right now unless you can in safemode, we can run another scan later when your system is running more normally


I need to see the Malwarebytes log and a Hijackthis log please
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:13 PM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.download.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219236903822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8AEC40-AC9F-4E61-BA22-67BE0E14EC96}: NameServer = 205.171.3.65,205.171.2.65
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: awtRIbBs - C:\WINDOWS\
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O23 - Service: Windows Network Data Management System Service (bndmss) - Unknown owner - C:\WINDOWS\system32\bndmss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5430 bytes


Malwarebytes' Anti-Malware 1.28
Database version: 1230
Windows 5.1.2600 Service Pack 2

10/5/2008 5:42:55 PM
mbam-log-2008-10-05 (17-42-55).txt

Scan type: Quick Scan
Objects scanned: 100655
Time elapsed: 33 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 60
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 9
Files Infected: 147

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtrSkLB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jsd72hf4t.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2681de42-78ea-4813-8362-da97cd2e60aa} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2681de42-78ea-4813-8362-da97cd2e60aa} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oincs.oinanalytics (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oincs.oinanalytics.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c51f7e9-8542-4f25-a30f-2060157752e1} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9d573d0e-663c-435f-bf31-2c4497373c41} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3777260-7308-464a-baa2-cc492c0ce7d2} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{90a52f08-64ac-4dc6-9d7d-4516670275d3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ec9074-6cba-43e8-b7e0-6a3809c4a958} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d360501e-dc73-4de6-a61c-21925aed7835} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9668ada-fc6b-47f4-8381-de861dba5115} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f7fa36a4-3177-4b57-b9c1-e9c5b2e0d3a9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{90a52f08-64ac-4dc6-9d7d-4516670275d3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{de8245fb-063f-4793-8423-eaba08457382} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e1d45a8-0368-4efa-a163-128b867624cd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b5bf6844-ec92-4d15-bdc3-a458127d7ba7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{36510bd1-6732-43bb-8c44-32535bcf0282} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9bda59fc-79c7-47f7-87f1-4d9dc861dac3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fa43e537-7082-2a53-ae4f-7ba2e3cd4a91} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\458a6951 (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\458a6951 (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\458a6951 (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d3d3c32d (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\d3d3c32d (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d3d3c32d (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oinanalytics (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\OINAnalytics.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnskdfmf9eldfd (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnskdfmf9eldfd (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtrsklb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrsklb -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WA7P (Unknown.Vundo.Related) -> Quarantined and deleted successfully.
C:\WA7P\Quar (Unknown.Vundo.Related) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\OINAnalytics (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp\Toolbar Vision (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\awtrSkLB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\BLkSrtwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BLkSrtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awoqiwfm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfwiqowa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\duhrasiq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qisarhud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kouascch.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hccsauok.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ornwwqas.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\saqwwnro.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbawmyxj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jxymwabw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jsd72hf4t.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Miss Casey\Local Settings\Temp\csrssc.exe (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\Temp\csrssc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\OINAnalytics\OINAnalytics.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M0908NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.16\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.17\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.18\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.19\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.20\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWA6P_0001_N91M1807NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0032920b.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\00330d07.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\00334eb4.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0b6b0ca8.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0b6b4915.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\81xBu0eE.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alofptld.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ariuotyv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crylulfy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehgwdgww.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mulqwpre.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nljuyk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvahdoou.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvrsol32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paso.el (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\plkkrx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prldvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rs32net.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uoauaa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vgwjdkkq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtaxfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xauyvi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xkktmw.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysvepp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YWg4o6lm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\458a6951.sys (Rootkit.Rustok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Rootkit.Rustok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\d3d3c32d.sys (Rootkit.Rustok) -> Quarantined and deleted successfully.
C:\sqffic.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\svjy.exe (Trojan.ErtFor) -> Quarantined and deleted successfully.
C:\vapu.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\yvcmiucb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temp\2333607564.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AL4FQOZI\a1[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KWFGPJ5V\c3[1].exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KWFGPJ5V\e5[1].exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KWFGPJ5V\install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KWFGPJ5V\meane[1].stf (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3C4MILB\e5[1].exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PCMPUTHE\b2[1].exe (Trojan-Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZW2HQIEM\c3[1].exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\188UEEW2\vfccfst[3].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\188UEEW2\vfcpp[1].htm (Trojan.ErtFor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\44LY4X70\asuper2[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\44LY4X70\yrsfpthuh[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\4ZQIAVT7\burrsstgu[1].txt (Trojan.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\4ZQIAVT7\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\5B8Y4613\qajghhvijw[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\5B8Y4613\qnjkxuu[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\D4KW4SDR\qnjkxuu[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\D4KW4SDR\qnjkxuu[3].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\D4KW4SDR\yrsfpthuh[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\E0VHAYW3\cmijwkxllm[1].htm (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\E0VHAYW3\qajghhvijw[2].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\E0VHAYW3\vfccfst[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\ES1KQGEU\asuper1[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\ES1KQGEU\qajghhvijw[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\ES1KQGEU\vfccfst[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\M8JJR675\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\NSH8V8ZB\asuper[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\NSH8V8ZB\qnjkxuu[2].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Local Settings\Temporary Internet Files\Content.IE5\NSH8V8ZB\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\Microsoft\wrgnqp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\OINAnalytics\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\speedrunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\can.sdr (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ffcty.sp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\io.e18 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnax.help (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onmac.frv (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\SAV\SAV.exe (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\SAV.cpl (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav0.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav1.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav.ooo (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\81xBu0eE.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YWg4o6lm.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssserf1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\BM73d64617.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM73d64617.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\Desktop\System Antivirus 2008.lnk (Rogue.SystemAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat60.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat61.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat62.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat63.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat64.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat65.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat66.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat67.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat68.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat69.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat6A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat6B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat6C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat6D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat6E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\dat6F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miss Casey\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
 
oh since i did that malware thing, no buttons or pictures show, i have to right click them and show picture for them to show up...that could get REALLY annoying really quickly, can we fix that too? Thanks sooo much, Casey
 
Good Morning,

Lets not worry about the pictures right now, this was and still is a very heavily infected computer.



Do this first...Important


Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: awtRIbBs - C:\WINDOWS\

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

O23 - Service: Windows Network Data Management System Service (bndmss) - Unknown owner - C:\WINDOWS\system32\bndmss.exe



Then do this next
  • Open HJT > Misc Tools > Delete an NT Service
  • Type in bndmss
  • Then click on OK, it will ask you to reboot, do so.





Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.



I need to see the Combofix log and a new Hijackthis log in normal windows please, not safemode or it won't be showing everything
 
so i ran hijack and delete all the items you said, then went to delete nt service and tried to delete bndmss and it said its running and cant be deleted, i tried to bring up task manager and end process, that wont end it and i tried to rescan with hijack and deleted 023 again and it still wont work. ??
 
  • Go to Start> Run and type in services.msc then press Enter
  • Scroll down to Windows Network Data Management System Service
  • Double Click that service to open it.
  • Click on Stop Service.
  • Then change the Startup Type to Disabled.
  • OK your way out of the program.


  • Open HJT > Misc Tools > Delete an NT Service
  • Type in bndmss
  • Then click on OK, it will ask you to reboot, do so.




Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\bndmss.exe
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Then run ATF Cleaner and Combofix
 
sigh, i dont have the option to stop it, start stop pause and resume are all gray. I tried to disable it but it didnt work, i tried rebooting and it was still there, I ran the OTmoveit and this is what i got


C:\WINDOWS\system32\bndmss.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10062008_182327


i went back to the services part, but its still there and i tried to run hijack again but its giving me the same message, it cant be moved because its in use.


im sorry, i hate my computer right now too.
 
i pulled up task manager and tried to end the bndmss...and for some random reason it worked, i used hijack to delete it and it worked and when i run the otmove it says it cant be found so...on to the other stuff...running it right now
 
hijack and combofix

ComboFix 08-10-06.05 - Miss Casey 2008-10-06 18:56:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.480 [GMT -7:00]
Running from: C:\Documents and Settings\Miss Casey\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Miss Casey\Application Data\Adobe\Player.exe
C:\Documents and Settings\Miss Casey\err.log
C:\Documents and Settings\NetworkService\Application Data\FNTS~1
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\??pPatch\
C:\Program Files\Common Files\ppatch~1\rundll32.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\Def\CnsMin.dsc
C:\Program Files\DefenderPro AntiSpy\AntiSpy\Def\CnsMin.prf
C:\Program Files\install provider
C:\Program Files\install provider\data.ini
C:\Program Files\install provider\InstallProvider.dll
C:\Program Files\install provider\InstallProvider.dlldat
C:\Program Files\install provider\InstallProvider_1.dll
C:\Program Files\SAV
C:\Program Files\stem~1
C:\Program Files\stem~1\n?tdde.exe
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe
C:\WINDOWS\ecurit~1
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.tmp2
C:\WINDOWS\system32\gulrxbma.dll
C:\WINDOWS\system32\spgmpjyb.ini
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\TDSSerrors.log

----- BITS: Possible infected sites -----

hxxp://78.157.143.163
hxxp://78.157.143.198
hxxp://91.203.93.6
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_VSPF
-------\Legacy_VSPF_HK


((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-06 18:23 . 2008-10-06 18:23 <DIR> d-------- C:\_OTMoveIt
2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Miss Casey\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 14:03 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:47 . 2008-10-04 15:47 2,441 --a------ C:\rdafenj.exe
2008-10-04 15:27 . 2008-10-04 15:47 59,392 --a------ C:\sisonvnp.exe
2008-10-04 15:18 . 2008-10-04 15:18 10,240 --a------ C:\WINDOWS\system32\brastk.exe
2008-10-04 15:18 . 2008-10-04 15:18 10,240 --a------ C:\WINDOWS\brastk.exe
2008-10-04 15:18 . 2008-10-04 15:18 6,144 --a------ C:\WINDOWS\system32\karna.dat
2008-10-04 15:18 . 2008-10-04 15:18 6,144 --a------ C:\WINDOWS\karna.dat
2008-10-04 12:16 . 2008-10-05 09:56 31,744 --a------ C:\Documents and Settings\Miss Casey\skp66.exe
2008-09-27 17:22 . 2008-09-27 17:23 229,508 --a------ C:\WINDOWS\system32\0b6b235d.exe
2008-09-27 10:37 . 2008-09-27 10:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
2008-09-20 12:30 . 2008-09-27 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-20 12:30 . 2008-09-20 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-17 14:50 . 2008-09-17 14:50 69,120 --a------ C:\WINDOWS\system32\icalc32.exe
2008-09-14 20:08 . 2008-09-14 20:09 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 19:14 577,536 ----a-w C:\WINDOWS\system32\user32.DLL
2008-10-04 19:14 577,536 ----a-w C:\WINDOWS\system32\dllcache\user32.dll
2008-10-02 13:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-29 03:14 90,112 ----a-w C:\WINDOWS\DUMP3306.tmp
2008-09-15 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 18:17 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-09-11 18:15 --------- d-----w C:\Program Files\MSN Games
2008-09-05 20:55 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\LimeWire
2008-08-30 17:53 --------- d-----w C:\Program Files\Palm
2008-08-29 16:17 --------- d-----w C:\Program Files\World of Warcraft
2008-08-24 05:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 15:49 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\AdobeUM
2008-08-20 12:31 --------- d-----w C:\Program Files\DivX
2008-08-16 19:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-16 19:36 --------- d-----w C:\Program Files\Google
2008-08-16 19:36 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\PlayFirst
2008-08-16 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 19:22 --------- d-----w C:\Program Files\Java
2008-08-08 16:43 --------- d-----w C:\Program Files\Diet Analysis Plus 8.0
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2007-08-28 03:57 24,140,200 ----a-w C:\Documents and Settings\Miss Casey\DivXInstaller.exe
2006-11-28 20:51 712,724 --sh--w C:\WINDOWS\assembly\GAC\Regcode\cpbk.dll
2006-11-26 04:10 936,500 --sh--w C:\WINDOWS\java\apas.bak1
2006-11-28 20:50 943,803 --sh--w C:\WINDOWS\java\apas.bak2
2006-11-09 21:29 712,724 --sh--w C:\WINDOWS\java\sapa.dll
.
C:\WINDOWS\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 11:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\user32.DLL
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 04:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 17:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\user32.DLL
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"[system]"=C:\WINDOWS\system32\drivers\services.exe
"ANTIVIRUS"=C:\Program Files\SAV\sav.exe
"Jnskdfmf9eldfd"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\csrssc.exe
"ksjf93orkekfniw73nfdd"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
"MSFox"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\a.exe
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"Windows Network Data Management System Service"="skp66.exe" *
"winlogon"=C:\Documents and Settings\Miss Casey\svchost.exe
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DPAS"="C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"[system]"=C:\WINDOWS\system32\drivers\services.exe
"70e5758b"=rundll32.exe "C:\WINDOWS\system32\byjpmgps.dll",b
"ANTIVIRUS"=C:\Program Files\SAV\sav.exe
"braviax"=C:\WINDOWS\system32\braviax.exe
"ksjf93orkekfniw73nfdd"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"rs32net"=C:\WINDOWS\System32\rs32net.exe
"Windows Network Data Management System Service"="skp66.exe" *
"winlogon"=C:\Documents and Settings\Miss Casey\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=
"C:\\Documents and Settings\\Miss Casey\\skp66.exe"=skp66.exe
"skp66.exe"= skp66.exe:BNDMSS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 10995]
.
Contents of the 'Scheduled Tasks' folder

2008-10-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2008-10-03 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-01 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-05 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-05 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-01 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-05 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-04 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-04 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-04 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-01 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-05 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-05 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-01 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-04 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-04 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-04 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-04 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2005-02-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1108581549.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2005-02-16 C:\WINDOWS\Tasks\WebReg 20050216112055.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-06 02:01]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = hxxp://www.google.com/
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Local Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html -
O15 -: Trusted Zone: www.download.com
O17 -: HKLM\CCS\Interface\{5B8AEC40-AC9F-4E61-BA22-67BE0E14EC96}: NameServer = 205.171.3.65,205.171.2.65

O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
C:\WINDOWS\Downloaded Program Files\OberonGameHost_dbg.inf
C:\WINDOWS\Downloaded Program Files\OberonGameHost.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 19:06:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
.
**************************************************************************
.
Completion time: 2008-10-06 19:20:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 02:20:09

Pre-Run: 46,720,147,456 bytes free
Post-Run: 49,660,870,656 bytes free

340 --- E O F --- 2008-09-12 10:19:39



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:00 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.download.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219236903822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8AEC40-AC9F-4E61-BA22-67BE0E14EC96}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5272 bytes
 
Good Morning,

You have an infected windows file that can be fixed by Combofix only if you have the Recovery Console installed, so do this. There is more to fix also after this is done.

We need to run ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
 
is there an easier way of doing that because i dont have the windows cd and i dont know what kind of service pack i have to download from microsoft. does it matter which one i pick?
 
no it doesnt matter because i dont have 6 blank disks to download the program to. i'm going to look for the windows disks...if i cant find them, we have to find a different way for that part. :(
 
Hi ,

You don't need the windows CD and you don't need any floppies. Drag Combofix to the trash and grap a fresh copy.

Download Combofix from any of the links below, and save it to your desktop. <-- Important
Link 1
Link 2
Link 3


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Windows XP SP2 <---This is what your need to download
Download the file & save it as its originally named, next to ComboFix.exe.

RC1-4.gif


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. You should get a message that the Recovery Console was installed and when prompted to run Combofix, do so and post the log

When you go to the Microsoft site and click on SP2, you will see a download link, download it to your desktop
 
ComboFix 08-10-07.06 - Miss Casey 2008-10-07 16:50:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.440 [GMT -7:00]
Running from: C:\Documents and Settings\Miss Casey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Miss Casey\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-06 18:23 . 2008-10-06 18:23 <DIR> d-------- C:\_OTMoveIt
2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Miss Casey\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 14:03 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:47 . 2008-10-04 15:47 2,441 --a------ C:\rdafenj.exe
2008-10-04 15:27 . 2008-10-04 15:47 59,392 --a------ C:\sisonvnp.exe
2008-10-04 12:16 . 2008-10-05 09:56 31,744 --a------ C:\Documents and Settings\Miss Casey\skp66.exe
2008-09-27 17:22 . 2008-09-27 17:23 229,508 --a------ C:\WINDOWS\system32\0b6b235d.exe
2008-09-27 10:37 . 2008-09-27 10:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
2008-09-20 12:30 . 2008-09-27 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-20 12:30 . 2008-09-20 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-17 14:50 . 2008-09-17 14:50 69,120 --a------ C:\WINDOWS\system32\icalc32.exe
2008-09-14 20:08 . 2008-09-14 20:09 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 13:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-29 03:14 90,112 ----a-w C:\WINDOWS\DUMP3306.tmp
2008-09-15 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 18:17 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-09-11 18:15 --------- d-----w C:\Program Files\MSN Games
2008-09-05 20:55 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\LimeWire
2008-08-30 17:53 --------- d-----w C:\Program Files\Palm
2008-08-29 16:17 --------- d-----w C:\Program Files\World of Warcraft
2008-08-24 05:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 15:49 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\AdobeUM
2008-08-20 12:31 --------- d-----w C:\Program Files\DivX
2008-08-16 19:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-16 19:36 --------- d-----w C:\Program Files\Google
2008-08-16 19:36 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\PlayFirst
2008-08-16 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 19:22 --------- d-----w C:\Program Files\Java
2008-08-08 16:43 --------- d-----w C:\Program Files\Diet Analysis Plus 8.0
2007-08-28 03:57 24,140,200 ----a-w C:\Documents and Settings\Miss Casey\DivXInstaller.exe
2006-11-28 20:51 712,724 --sh--w C:\WINDOWS\assembly\GAC\Regcode\cpbk.dll
2006-11-26 04:10 936,500 --sh--w C:\WINDOWS\java\apas.bak1
2006-11-28 20:50 943,803 --sh--w C:\WINDOWS\java\apas.bak2
2006-11-09 21:29 712,724 --sh--w C:\WINDOWS\java\sapa.dll
.
file copied: C:\WINDOWS\system32\user32.dll -> C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir ( 577536 bytes )

C:\WINDOWS\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 11:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
578,560 2008-04-14 00:12:08 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\user32.dll
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\user32.DLL
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 04:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 17:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\user32.DLL
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-06_19.18.50.57 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"[system]"=C:\WINDOWS\system32\drivers\services.exe
"ANTIVIRUS"=C:\Program Files\SAV\sav.exe
"Jnskdfmf9eldfd"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\csrssc.exe
"ksjf93orkekfniw73nfdd"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
"MSFox"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\a.exe
"Windows Network Data Management System Service"="skp66.exe" *
"winlogon"=C:\Documents and Settings\Miss Casey\svchost.exe
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DPAS"="C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"[system]"=C:\WINDOWS\system32\drivers\services.exe
"70e5758b"=rundll32.exe "C:\WINDOWS\system32\byjpmgps.dll",b
"ANTIVIRUS"=C:\Program Files\SAV\sav.exe
"braviax"=C:\WINDOWS\system32\braviax.exe
"ksjf93orkekfniw73nfdd"=C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"rs32net"=C:\WINDOWS\System32\rs32net.exe
"Windows Network Data Management System Service"="skp66.exe" *
"winlogon"=C:\Documents and Settings\Miss Casey\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=
"C:\\Documents and Settings\\Miss Casey\\skp66.exe"=skp66.exe
"skp66.exe"= skp66.exe:BNDMSS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 drvmcdb;drvmcdb;C:\WINDOWS\system32\drivers\drvmcdb.sys [2004-08-04 87136]
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 10995]
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2004-03-06 1233525]
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2004-03-06 647929]
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2004-06-16 61157]
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2004-03-06 37048]
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm;C:\WINDOWS\system32\drivers\smwdm.sys [2004-10-29 260096]
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 NetSvc;Intel NCS NetService;C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2003-12-17 143360]
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys [2003-07-16 16509]
S3 USB_RNDIS;USB Remote NDIS Network Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 12672]
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys [ ]
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
.
Contents of the 'Scheduled Tasks' folder

2008-10-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2008-10-03 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-01 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-05 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-04 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-04 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-01 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-05 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-04 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-04 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-06 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-06 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2005-02-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1108581549.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2005-02-16 C:\WINDOWS\Tasks\WebReg 20050216112055.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-06 02:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{abfad53a-f8cf-4a8c-ad0b-db8785cae777} - (no file)
BHO-{efaa1717-85b1-4647-a959-daa5c7d5913f} - (no file)
Notify-awtRIbBs - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = hxxp://www.google.com/
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Local Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html -
O15 -: Trusted Zone: www.download.com
O17 -: HKLM\CCS\Interface\{5B8AEC40-AC9F-4E61-BA22-67BE0E14EC96}: NameServer = 205.171.3.65,205.171.2.65

O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
C:\WINDOWS\Downloaded Program Files\OberonGameHost_dbg.inf
C:\WINDOWS\Downloaded Program Files\OberonGameHost.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 17:01:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
.
**************************************************************************
.
Completion time: 2008-10-07 17:16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-08 00:16:37
ComboFix2.txt 2008-10-07 02:20:38

Pre-Run: 48,845,713,408 bytes free
Post-Run: 48,688,611,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

323 --- E O F --- 2008-10-07 14:17:27
 
You need to enable windows to show all files and folders, instructions Here


C:\WINDOWS\Tasks\At1.job <---Delete every At1.job inside the Tasks folder but not the folder itself



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


Code: 
File::
C:\WINDOWS\system32\drivers\services.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\a.exe
C:\Documents and Settings\Miss Casey\svchost.exe
C:\WINDOWS\system32\byjpmgps.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\system32\81xBu0eE.exe
C:\WINDOWS\system32\YWg4o6lm.exe 

Folder::
C:\Program Files\SAV

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"[system]"=-
"ANTIVIRUS"=-
"Jnskdfmf9eldfd"=-
"ksjf93orkekfniw73nfdd"=-
"MSFox"=-
"Windows Network Data Management System Service"=-


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"[system]"=-
"70e5758b"=-
"ANTIVIRUS"=-
"braviax"=-
"ksjf93orkekfniw73nfdd"=-
"rs32net"=-
"Windows Network Data Management System Service"=-
"winlogon"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
i just deleted at1 and did the rest here are the results

ComboFix 08-10-07.06 - Miss Casey 2008-10-08 11:30:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.361 [GMT -7:00]
Running from: C:\Documents and Settings\Miss Casey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Miss Casey\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\a.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
C:\Documents and Settings\Miss Casey\svchost.exe
C:\WINDOWS\system32\81xBu0eE.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\byjpmgps.dll
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\system32\YWg4o6lm.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-06 18:23 . 2008-10-06 18:23 <DIR> d-------- C:\_OTMoveIt
2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Miss Casey\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 14:03 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:47 . 2008-10-04 15:47 2,441 --a------ C:\rdafenj.exe
2008-10-04 15:27 . 2008-10-04 15:47 59,392 --a------ C:\sisonvnp.exe
2008-10-04 12:16 . 2008-10-05 09:56 31,744 --a------ C:\Documents and Settings\Miss Casey\skp66.exe
2008-09-27 17:22 . 2008-09-27 17:23 229,508 --a------ C:\WINDOWS\system32\0b6b235d.exe
2008-09-27 10:37 . 2008-09-27 10:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
2008-09-20 12:30 . 2008-09-27 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-20 12:30 . 2008-09-20 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-17 14:50 . 2008-09-17 14:50 69,120 --a------ C:\WINDOWS\system32\icalc32.exe
2008-09-14 20:08 . 2008-09-14 20:09 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 13:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-29 03:14 90,112 ----a-w C:\WINDOWS\DUMP3306.tmp
2008-09-15 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 18:17 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-09-11 18:15 --------- d-----w C:\Program Files\MSN Games
2008-09-05 20:55 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\LimeWire
2008-08-30 17:53 --------- d-----w C:\Program Files\Palm
2008-08-29 16:17 --------- d-----w C:\Program Files\World of Warcraft
2008-08-24 05:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 15:49 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\AdobeUM
2008-08-20 12:31 --------- d-----w C:\Program Files\DivX
2008-08-16 19:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-16 19:36 --------- d-----w C:\Program Files\Google
2008-08-16 19:36 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\PlayFirst
2008-08-16 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 19:22 --------- d-----w C:\Program Files\Java
2008-08-08 16:43 --------- d-----w C:\Program Files\Diet Analysis Plus 8.0
2007-08-28 03:57 24,140,200 ----a-w C:\Documents and Settings\Miss Casey\DivXInstaller.exe
2006-11-28 20:51 712,724 --sh--w C:\WINDOWS\assembly\GAC\Regcode\cpbk.dll
2006-11-26 04:10 936,500 --sh--w C:\WINDOWS\java\apas.bak1
2006-11-28 20:50 943,803 --sh--w C:\WINDOWS\java\apas.bak2
2006-11-09 21:29 712,724 --sh--w C:\WINDOWS\java\sapa.dll
.
file copied: C:\WINDOWS\system32\user32.dll -> C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir ( 577536 bytes )

C:\WINDOWS\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 11:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\user32.DLL
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 04:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 17:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\user32.DLL
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"winlogon"=C:\Documents and Settings\Miss Casey\svchost.exe
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DPAS"="C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=
"C:\\Documents and Settings\\Miss Casey\\skp66.exe"=skp66.exe
"skp66.exe"= skp66.exe:BNDMSS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 10995]
.
Contents of the 'Scheduled Tasks' folder

2008-10-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2008-10-08 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-05 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-07 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-05 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-07 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2005-02-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1108581549.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2005-02-16 C:\WINDOWS\Tasks\WebReg 20050216112055.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-06 02:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-REGEDIT4 - (no file)
BHO-[HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooks] - (no file)
BHO-{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=" - (no file)
BHO-{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=" - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 11:40:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
.
**************************************************************************
.
Completion time: 2008-10-08 11:48:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-08 18:48:04
ComboFix2.txt 2008-10-08 00:16:56
ComboFix3.txt 2008-10-07 02:20:38

Pre-Run: 49,152,462,848 bytes free
Post-Run: 49,059,295,232 bytes free

259 --- E O F --- 2008-10-07 14:17:27





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:55 AM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.download.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219236903822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8AEC40-AC9F-4E61-BA22-67BE0E14EC96}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5392 bytes
 
Hi,

Make sure you turn off the TeaTimer in Spybot.


Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect



You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.

C:\rdafenj.exe
C:\sisonvnp.exe




Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


Code: 
File::
C:\WINDOWS\system32\icalc32.exe
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\system32\81xBu0eE.exe
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\system32\YWg4o6lm.exe 
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\Documents and Settings\Miss Casey\svchost.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"winlogon"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
You must log in or register to reply here.
Back
Top