Meezers
2010-02-15, 17:44
Yes, I read the before you post topic ;)
My daughter got infected while viewing an image at deviant art, some sort of ad auto infected. She says she didn't click on anything. I don't know what all she did with the infection before coming to me. The infection is continuous fake infection security alerts, fake antivirus warnings and scans, and fake internet windows. I have been closing these with the x or clicking no is the x isn't there.
She has new symantec antivirus and spybot installed. Neither one caught this. We have no access on that computer to the internet because of the infection. As a precaution we also disconnected the infected machine from the internet.
I used a thumb drive to install hijackthis and erunt.
On the desktop was a .dll file that happened because of the infection. Spybot found most of the problems in a file called virtumonde.sci.
Before the scan had finished I got a pop up from Spybot with the choice of restarting to remove the files added during the scan or no to continue scanning. I decided to continue scanning. At the end of the scan I clicked to fix all found. When it finished a new program auto installed onto the desktop called Antivirus XP 2010. I ran spybot again and it seems to have found all the same problems but they are not fixed. I also ran a symantec antivirus quick scan and told it to delete all it found. Then I reran symantec and it seems to have found all the same items again unfixed so I told it to delete them again.
I went to win 32 folder and tried to delete the antivirus XP 2010 folder but it won't allow me to because it is "in use"
I have not restarted the computer as I was/am afraid I will activate something bad by doing so. I am waiting for an expert to tell me to go ahead and reboot.
I ran Hijack this and did a Erunt "System registry" save.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:15 AM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\kfihdni.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\e6opc4.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\win.exe
C:\Documents and Settings\Kate\Local Settings\Application Data\av.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\avp.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\drweb.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\win16.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\mdm.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\system.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\cmd.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\notepad.exe
C:\WINDOWS\system32\sspipes.scr
E:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: C:\WINDOWS\system32\jqyhvzy.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\jqyhvzy.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Ovacuhijuc] rundll32.exe "C:\WINDOWS\ojuzudan.dll",Startup
O4 - HKLM\..\Run: [rakerosed] Rundll32.exe "c:\windows\system32\keniyili.dll",a
O4 - HKLM\..\RunOnce: [SpybotDeletingA3263] command.com /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8080] cmd.exe /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8637] command.com /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9879] cmd.exe /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\jqyhvzy.dll, HUI_proc
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\DOCUME~1\Kate\LOCALS~1\Temp\e6opc4.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Kate\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [Adobe Loader] C:\Program Files\adb9_32.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.isketch.net/isketch.shtml"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8786] command.com /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6493] cmd.exe /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8936] command.com /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4084] cmd.exe /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKUS\S-1-5-21-1085031214-879983540-839522115-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Nancy')
O4 - HKUS\S-1-5-21-1085031214-879983540-839522115-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Nancy')
O4 - HKUS\S-1-5-21-1085031214-879983540-839522115-1006\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (User 'Nancy')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2930639E-98FC-4FF4-9E9D-3A0BF7D7348E}: NameServer = 83.149.115.157,4.2.2.1,192.168.1.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll pokivaku.dll c:\windows\system32\keniyili.dll
O21 - SSODL: zotolowip - {28596109-54aa-4e22-81cb-cc4250283613} - c:\windows\system32\keniyili.dll
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\jqyhvzy.dll
O22 - SharedTaskScheduler: jugezatag - {28596109-54aa-4e22-81cb-cc4250283613} - c:\windows\system32\keniyili.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 10079 bytes
I think I have done everything you need the way you want it.
Thank you for taking time to help us.
I am trying to follow your forum rules for posting but saw nothing to cover the situation I am in.
We were patiently waiting and I am not posting this additional information to the original post because your rules say not to. I know I am not allowed to start a new topic for the same problem. I don't know what I am supposed to do to add information as there is no EDIT function that I can find on the original post. I am very sorry if I am breaking a rule starting a new topic but it is senseless for someone to spend time giving me an answer that won't apply due to the new circumstance. PLEASE don't yell at me if I am messing up your forum rules. I am trying my best to comply, I really am.
First topic that was not yet answered :http://forums.spybot.info/showthread.php?t=55524
I just went to look at the infected computer and it had logged all users out and was requiring a password. This machine has 5 users and no passwords were ever set up. I can't give it a password that we never set.
I restarted the computer in safe mode and now when I click on a user it says its logging on and then immediately logs back off. We have no access to the computer at all.
I have shut it down.
My daughter got infected while viewing an image at deviant art, some sort of ad auto infected. She says she didn't click on anything. I don't know what all she did with the infection before coming to me. The infection is continuous fake infection security alerts, fake antivirus warnings and scans, and fake internet windows. I have been closing these with the x or clicking no is the x isn't there.
She has new symantec antivirus and spybot installed. Neither one caught this. We have no access on that computer to the internet because of the infection. As a precaution we also disconnected the infected machine from the internet.
I used a thumb drive to install hijackthis and erunt.
On the desktop was a .dll file that happened because of the infection. Spybot found most of the problems in a file called virtumonde.sci.
Before the scan had finished I got a pop up from Spybot with the choice of restarting to remove the files added during the scan or no to continue scanning. I decided to continue scanning. At the end of the scan I clicked to fix all found. When it finished a new program auto installed onto the desktop called Antivirus XP 2010. I ran spybot again and it seems to have found all the same problems but they are not fixed. I also ran a symantec antivirus quick scan and told it to delete all it found. Then I reran symantec and it seems to have found all the same items again unfixed so I told it to delete them again.
I went to win 32 folder and tried to delete the antivirus XP 2010 folder but it won't allow me to because it is "in use"
I have not restarted the computer as I was/am afraid I will activate something bad by doing so. I am waiting for an expert to tell me to go ahead and reboot.
I ran Hijack this and did a Erunt "System registry" save.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:15 AM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\kfihdni.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\e6opc4.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\win.exe
C:\Documents and Settings\Kate\Local Settings\Application Data\av.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\avp.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\drweb.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\win16.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\mdm.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\system.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\cmd.exe
C:\DOCUME~1\Kate\LOCALS~1\Temp\notepad.exe
C:\WINDOWS\system32\sspipes.scr
E:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: C:\WINDOWS\system32\jqyhvzy.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\jqyhvzy.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Ovacuhijuc] rundll32.exe "C:\WINDOWS\ojuzudan.dll",Startup
O4 - HKLM\..\Run: [rakerosed] Rundll32.exe "c:\windows\system32\keniyili.dll",a
O4 - HKLM\..\RunOnce: [SpybotDeletingA3263] command.com /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8080] cmd.exe /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8637] command.com /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9879] cmd.exe /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\jqyhvzy.dll, HUI_proc
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\DOCUME~1\Kate\LOCALS~1\Temp\e6opc4.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Kate\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [Adobe Loader] C:\Program Files\adb9_32.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.isketch.net/isketch.shtml"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8786] command.com /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6493] cmd.exe /c del "C:\WINDOWS\ojuzudan.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8936] command.com /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4084] cmd.exe /c del "c:\windows\system32\sifopilu.dll_old"
O4 - HKUS\S-1-5-21-1085031214-879983540-839522115-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Nancy')
O4 - HKUS\S-1-5-21-1085031214-879983540-839522115-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Nancy')
O4 - HKUS\S-1-5-21-1085031214-879983540-839522115-1006\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (User 'Nancy')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2930639E-98FC-4FF4-9E9D-3A0BF7D7348E}: NameServer = 83.149.115.157,4.2.2.1,192.168.1.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll pokivaku.dll c:\windows\system32\keniyili.dll
O21 - SSODL: zotolowip - {28596109-54aa-4e22-81cb-cc4250283613} - c:\windows\system32\keniyili.dll
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\jqyhvzy.dll
O22 - SharedTaskScheduler: jugezatag - {28596109-54aa-4e22-81cb-cc4250283613} - c:\windows\system32\keniyili.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 10079 bytes
I think I have done everything you need the way you want it.
Thank you for taking time to help us.
I am trying to follow your forum rules for posting but saw nothing to cover the situation I am in.
We were patiently waiting and I am not posting this additional information to the original post because your rules say not to. I know I am not allowed to start a new topic for the same problem. I don't know what I am supposed to do to add information as there is no EDIT function that I can find on the original post. I am very sorry if I am breaking a rule starting a new topic but it is senseless for someone to spend time giving me an answer that won't apply due to the new circumstance. PLEASE don't yell at me if I am messing up your forum rules. I am trying my best to comply, I really am.
First topic that was not yet answered :http://forums.spybot.info/showthread.php?t=55524
I just went to look at the infected computer and it had logged all users out and was requiring a password. This machine has 5 users and no passwords were ever set up. I can't give it a password that we never set.
I restarted the computer in safe mode and now when I click on a user it says its logging on and then immediately logs back off. We have no access to the computer at all.
I have shut it down.