Major infection - can't run Spybot or HJT - please help! (Resolved)

**invisiblegardener** · 2009-04-07, 05:14

I've been unsuccessfully battling Virtumonde for a few months now, but something recently has kicked the infection into new territory. I've lost the use of one CD drive, and I cannot run Spybot, HJT, or any anti-virus software (I can install new programs but I get a "not a valid win32 application" message when I try to run them). When I try to boot in safe mode I get a blue screen error. This goes for all 3 types of safe mode. I am only able to keep the flood of pop-ups away by killing rundll32 and iexplore processes using Process Explorer. I hope someone can help me. Thanks so much!

**katana** · 2009-04-10, 17:10

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Originally Posted by invisiblegardener

I've been unsuccessfully battling Virtumonde for a few months now,

You should have come here sooner, Vundo regularly calls in a whole host of other infections if it is active for any length of time.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

**invisiblegardener** · 2009-04-11, 00:41

Thanks for your help, Katana. I downloaded ComboFix to my desktop, but when I run it, I get an error message: "...\Desktop\ComboFix.exe is not a valid Win32 application".

**katana** · 2009-04-11, 02:22

Please try this instead ...

Download and Run ComboFix
----------------------------------------------------------------------------------------

Download Combofix from the link below. Save it to your desktop.

> Link Removed <

--------------------------------------------------------------------

Double click on CleanMe.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

**invisiblegardener** · 2009-04-11, 03:22

It seems ComboFix will work this way. However, I declined to run the scan because CF told me that Kaspersky Anti-Virus was running, and I could not see any indication that it was running, or find any way to stop it. There is no tray icon, and no running processes that seem related. I didn't know if it would be recommended to proceed with the CF scan.

**katana** · 2009-04-11, 03:31

Ignore the Kaspersky warning for the moment, just run Combofix (CleanMe) and post the log

**invisiblegardener** · 2009-04-11, 04:56

The second time I tried to run CleanMe, it told me I needed to rename the file. So I did, and the scan ran successfully. The log was too big to paste, so I have zipped and attached it. Thanks for all your help!!

Code:

ComboFix 09-04-04.01 - Matt 2009-04-10 21:09:30.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1535.1190 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\CF.exe
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
.
 ADS - svchost.exe: deleted 32768 bytes in 1 streams. 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Matt\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Matt\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Matt\Application Data\drivers\downld
c:\documents and settings\Matt\Application Data\drivers\downld\1002312.exe
 2332 drivers\downld\XXXXXXX.exe removed
c:\documents and settings\Matt\Application Data\drivers\downld\999453.exe
c:\documents and settings\Matt\Application Data\drivers\srosa2.sys
c:\documents and settings\Matt\Application Data\drivers\wfsintwq.sys
c:\documents and settings\Matt\Application Data\drivers\winupgro.exe
c:\documents and settings\Matt\Application Data\m
131 files removed from \m
c:\program files\steam\steam.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\abedewud.ini
c:\windows\system32\abosanap.ini
c:\windows\system32\aemhxv.dll
c:\windows\system32\agezosih.ini
c:\windows\system32\akowomer.ini
c:\windows\system32\aojtps.dll
c:\windows\system32\apupcj.dll
c:\windows\system32\aquxqb.dll
c:\windows\system32\arotevew.ini
c:\windows\system32\arubugaz.ini
c:\windows\system32\asirevuv.ini
c:\windows\system32\asxgfp.dll
c:\windows\system32\atepeyay.ini
c:\windows\system32\atodgi.dll
c:\windows\system32\bajiyise.dll
c:\windows\system32\bakedosu.dll
c:\windows\system32\bewihafe.dll
c:\windows\system32\bezuyiza.dll
c:\windows\system32\bihonede.dll
c:\windows\system32\bisepufi.dll
c:\windows\system32\bmcomn.dll
c:\windows\system32\cqsori.dll
c:\windows\system32\cucqoh.dll
c:\windows\system32\dafamupu.dll
c:\windows\system32\dafirulo.dll
c:\windows\system32\devopaha.dll
c:\windows\system32\deyaluhu.dll
c:\windows\system32\dipitiwo.dll
c:\windows\system32\dobojobe.dll
c:\windows\system32\doguzeri.dll
c:\windows\system32\dorulelo.dll
c:\windows\system32\drivers\down
c:\windows\system32\drivers\down\1013515.exe
c:\windows\system32\drivers\down\1481375.exe
c:\windows\system32\drivers\down\1551718.exe
c:\windows\system32\dsbjuw.dll
c:\windows\system32\dtizlb.dll
c:\windows\system32\duvafiyi.dll
c:\windows\system32\duwedeba.dll
c:\windows\system32\duyagawe.dll
c:\windows\system32\elukapid.ini
c:\windows\system32\emujatev.ini
c:\windows\system32\enniph.dll
c:\windows\system32\evahafem.ini
c:\windows\system32\expicv.dll
c:\windows\system32\faebbbdacdecbfecb.dll
c:\windows\system32\fapiruda.dll
c:\windows\system32\feluniko.dll
c:\windows\system32\fetutupi.dll
c:\windows\system32\fhmxpm.dll
c:\windows\system32\fqbdqo.dll
c:\windows\system32\fujegifu.dll
c:\windows\system32\fumugatu.dll
c:\windows\system32\futewege.dll
c:\windows\system32\ganjpn.dll
c:\windows\system32\garowori.dll
c:\windows\system32\gatinuro.dll
c:\windows\system32\gebuhobo.dll
c:\windows\system32\gezimihe.dll
c:\windows\system32\gibuyata.dll.tmp
c:\windows\system32\gluykq.dll
c:\windows\system32\gomukamu.dll
c:\windows\system32\gonaludu.dll
c:\windows\system32\gopikobi.dll
c:\windows\system32\gudasene.dll
c:\windows\system32\gurelido.dll
c:\windows\system32\hdbxye.dll
c:\windows\system32\hekazezi.dll
c:\windows\system32\hevotuza.dll
c:\windows\system32\hhxhcp.dll
c:\windows\system32\hikagazu.dll
c:\windows\system32\hisozega.dll
c:\windows\system32\hofugubi.dll
c:\windows\system32\hokxky.dll
c:\windows\system32\hsf73ikmdf3f.dll
c:\windows\system32\huverego.dll
c:\windows\system32\irebizuz.ini
c:\windows\system32\iziboyow.ini
c:\windows\system32\jaduzumi.dll
c:\windows\system32\jelukahu.dll
c:\windows\system32\jihofoju.dll
c:\windows\system32\jofoliyo.dll
c:\windows\system32\jovivumo.dll
c:\windows\system32\jtryxb.dll
c:\windows\system32\jugusaja.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\jupujunu.dll
c:\windows\system32\kanolalo.dll
c:\windows\system32\kegezadu.dll
c:\windows\system32\kenahapu.dll
c:\windows\system32\kibivegi.dll
c:\windows\system32\kiduruka.dll
c:\windows\system32\kihuseku.dll
c:\windows\system32\kirasahi.dll
c:\windows\system32\kivigoru.dll
c:\windows\system32\kogujiru.dll.tmp
c:\windows\system32\kohuhoro.dll
c:\windows\system32\kokemabo.dll
c:\windows\system32\kolojebe.dll
c:\windows\system32\kosuyapu.dll
c:\windows\system32\kotafeka.dll
c:\windows\system32\kshygn.dll
c:\windows\system32\kubuyula.dll
c:\windows\system32\kumeliyu.dll
c:\windows\system32\kumiberu.dll
c:\windows\system32\kunobesi.dll
c:\windows\system32\kuwibipa.dll
c:\windows\system32\kuzeyogi.dll
c:\windows\system32\lelizomo.dll
c:\windows\system32\livoguyi.dll
c:\windows\system32\ljkngn.dll
c:\windows\system32\lujetifi.dll
c:\windows\system32\lujivoni.dll
c:\windows\system32\lutovute.dll
c:\windows\system32\lxvcxq.dll
c:\windows\system32\lzkest.dll
c:\windows\system32\marokeru.dll
c:\windows\system32\mavywp.dll
c:\windows\system32\mazileve.dll
c:\windows\system32\mdelk.exe
c:\windows\system32\melidawa.dll
c:\windows\system32\mijejabe.dll
c:\windows\system32\miliyepa.dll
c:\windows\system32\mlcbki.dll
c:\windows\system32\mmyczl.dll
c:\windows\system32\mukmil.dll
c:\windows\system32\nadojizu.dll
c:\windows\system32\nadusifa.dll
c:\windows\system32\nanenipu.dll
c:\windows\system32\nazesuna.dll
c:\windows\system32\nekols.dll
c:\windows\system32\nenunizo.dll.tmp
c:\windows\system32\nijufuvu.dll
c:\windows\system32\nikarili.dll
c:\windows\system32\nubamiko.dll
c:\windows\system32\nukiyofi.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\oizuuh.dll
c:\windows\system32\olukonir.ini
c:\windows\system32\oluwijew.ini
c:\windows\system32\opinomab.ini
c:\windows\system32\oraravuz.ini
c:\windows\system32\ostrav.dll
c:\windows\system32\otimahef.ini
c:\windows\system32\pafigewi.dll
c:\windows\system32\penipure.dll
c:\windows\system32\peyumama.dll
c:\windows\system32\pimehori.dll
c:\windows\system32\pinapuwe.dll
c:\windows\system32\piseraho.dll.tmp
c:\windows\system32\piwihivo.dll
c:\windows\system32\piyadayi.dll
c:\windows\system32\povufuyu.dll
c:\windows\system32\ptrtcs.dll
c:\windows\system32\pufupode.dll
c:\windows\system32\puhudw.dll
c:\windows\system32\qhvfht.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\reezod.dll
c:\windows\system32\remowoka.dll
c:\windows\system32\rilihoki.dll
c:\windows\system32\rivenape.dll
c:\windows\system32\rosnry.dll
c:\windows\system32\rosotuse.dll
c:\windows\system32\rruxdk.dll
c:\windows\system32\ruludoji.dll
c:\windows\system32\rulufutu.dll
c:\windows\system32\runivito.dll
c:\windows\system32\ruvaluno.dll
c:\windows\system32\ruyugapi.dll
c:\windows\system32\sejezeni.dll
c:\windows\system32\sejuvoma.dll
c:\windows\system32\siqtgw.dll
c:\windows\system32\sirifiwi.dll
c:\windows\system32\sopbdv.dll
c:\windows\system32\soruhuma.dll.tmp
c:\windows\system32\sosafimi.dll
c:\windows\system32\srnqzb.dll
c:\windows\system32\stfiyp.dll
c:\windows\system32\stjjea.dll
c:\windows\system32\sujibiwi.dll
c:\windows\system32\suwunahe.dll
c:\windows\system32\svgtjz.dll
c:\windows\system32\tadofuvo.dll
c:\windows\system32\tatetimo.dll
c:\windows\system32\tayanage.dll
c:\windows\system32\tazeyubo.dll
c:\windows\system32\tefifohi.dll
c:\windows\system32\tijebevi.dll
c:\windows\system32\towozoha.dll.tmp
c:\windows\system32\ubjkqi.dll
c:\windows\system32\udufuned.ini
c:\windows\system32\udukesup.ini
c:\windows\system32\ukesuhik.ini
c:\windows\system32\usajuhig.ini
c:\windows\system32\usodekab.ini
c:\windows\system32\uwigaruz.ini
c:\windows\system32\vamibedi.dll
c:\windows\system32\varayihe.dll
c:\windows\system32\vatimete.dll
c:\windows\system32\vboppf.dll
c:\windows\system32\vedilune.dll
c:\windows\system32\vejopine.dll
c:\windows\system32\vetaweyo.dll
c:\windows\system32\viriteda.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\volorume.dll
c:\windows\system32\volosejo.dll
c:\windows\system32\vonibusa.dll.vir
c:\windows\system32\vonowiya.dll.tmp
c:\windows\system32\vovuhinu.dll
c:\windows\system32\vpvkyx.dll
c:\windows\system32\vulakiye.dll
c:\windows\system32\vuverisa.dll
c:\windows\system32\wedijuzo.dll
c:\windows\system32\weluyiki.dll
c:\windows\system32\wevetora.dll
c:\windows\system32\whzwho.dll
c:\windows\system32\wintems.exe
c:\windows\system32\witukezo.dll
c:\windows\system32\wiwifezi.dll.vir
c:\windows\system32\wiwuzoza.dll
c:\windows\system32\wopowupa.dll
c:\windows\system32\woyadolu.dll
c:\windows\system32\woyobizi.dll
c:\windows\system32\wuleluzu.dll
c:\windows\system32\wuwasomo.dll
c:\windows\system32\wztkco.dll
c:\windows\system32\xocand.dll
c:\windows\system32\xsnlns.dll
c:\windows\system32\xyfref.dll
c:\windows\system32\yavawoji.dll
c:\windows\system32\yirumuno.dll
c:\windows\system32\yivoboki.dll
c:\windows\system32\yofolufe.dll
c:\windows\system32\yoharaje.dll
c:\windows\system32\yubiyufo.dll
c:\windows\system32\zakupuju.dll
c:\windows\system32\zarebeba.dll
c:\windows\system32\zatoyale.dll
c:\windows\system32\zelokore.dll
c:\windows\system32\zepuwuvi.dll
c:\windows\system32\zetoyago.dll
c:\windows\system32\ziyewila.dll
c:\windows\system32\zodavula.dll
c:\windows\system32\zomisula.dll
c:\windows\system32\zuragiwu.dll
c:\windows\system32\zuvararo.dll
c:\windows\system32\zuziberi.dll
c:\windows\system32\zwwlro.dll
c:\windows\Temp\tmp3.tmp

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA
-------\Legacy_ICF
-------\Legacy_SK9OU0S
-------\Service_ICF
-------\Service_sK9Ou0s


(((((((((((((((((((((((((   Files Created from 2009-03-11 to 2009-04-11  )))))))))))))))))))))))))))))))
.

2009-04-10 20:44 . 2009-04-10 20:45	<DIR>	d--------	C:\xiFobmoC
2009-04-10 20:23 . 2009-04-10 20:26	<DIR>	d--------	C:\CleanMe
2009-04-08 17:07 . 2009-04-08 16:10	578,560	--a------	c:\windows\system32\glzeyhf
2009-04-08 16:57 . 2009-04-10 19:51	1,420	--a------	c:\windows\Ojiwafabipe.dat
2009-04-08 16:57 . 2009-04-10 16:40	16	--a------	c:\windows\Nqufuruya.bin
2009-04-08 16:11 . 2009-04-10 15:55	144,384	--a------	C:\lrkl.exe
2009-04-08 16:11 . 2009-04-08 16:11	30,208	--a------	C:\onspqrnk.exe
2009-04-08 16:11 . 2009-04-10 15:56	22,016	--a------	C:\fkajlvl.exe
2009-04-08 16:11 . 2009-04-08 16:11	705	--a------	C:\ovmhmkie.exe
2009-04-08 16:11 . 2009-04-08 16:11	0	--a------	c:\windows\mqcd.dbt
2009-04-08 16:10 . 2009-04-08 16:10	249,856	--a------	c:\windows\system32\nvtpm32.dll
2009-04-08 16:10 . 2009-04-08 17:07	125,440	--a------	C:\wlct.exe
2009-04-08 16:10 . 2009-04-08 17:07	125,440	--a------	c:\windows\system32\azton.mt
2009-04-08 16:10 . 2009-04-08 16:10	77,312	--a------	c:\windows\system32\er3r.pxf
2009-04-08 16:10 . 2009-04-10 15:54	43,520	--a------	C:\jurj.exe
2009-04-08 16:10 . 2009-04-08 16:10	32,768	--a------	c:\windows\system32\kei1w.an
2009-04-08 16:10 . 2009-04-08 16:10	32,768	--a------	c:\windows\system32\fe3.wa
2009-04-08 16:10 . 2009-04-08 16:10	28,672	--a------	c:\windows\system32\kdoqmn.sr
2009-04-08 16:10 . 2009-04-08 16:10	28,672	--a------	c:\windows\system32\doqkm.zt
2009-04-08 16:10 . 2009-04-10 15:54	7,680	--a------	C:\kgqxi.exe
2009-04-08 16:10 . 2009-04-10 15:55	2	--a------	C:\10334752
2009-04-08 16:09 . 2009-04-10 15:53	9,216	--a------	c:\windows\instsp2.exe
2009-04-06 21:46 . 2009-04-06 21:46	<DIR>	d--------	c:\program files\ERUNT
2009-04-06 20:59 . 2009-04-06 20:59	<DIR>	d--------	c:\windows\system32\NtmsData
2009-03-27 22:26 . 2009-03-29 13:41	<DIR>	d--------	c:\documents and settings\Matt\Application Data\HouseCall 6.6
2009-03-27 17:53 . 2009-03-09 14:06	64,160	--a------	c:\windows\system32\drivers\Lbd.sys
2009-03-27 17:44 . 2009-03-27 17:44	<DIR>	d--h-c---	c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-27 17:43 . 2009-03-27 17:43	<DIR>	d--------	c:\program files\Lavasoft
2009-03-25 00:31 . 2009-04-10 21:18	<DIR>	d--h-----	c:\documents and settings\Matt\Application Data\drivers

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 02:20	---------	d-----w	c:\program files\Steam
2009-04-08 21:10	159,232	----a-w	c:\windows\ofevehamirolu.dll
2009-03-27 21:57	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-26 05:26	688,416	--sha-w	c:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:26	66,656	--sha-w	c:\windows\system32\drivers\fidbox2.idx
2009-03-26 05:26	315,320	--sha-w	c:\windows\system32\drivers\fidbox.idx
2009-03-26 05:26	23,229,728	--sha-w	c:\windows\system32\drivers\fidbox.dat
2009-03-26 02:18	---------	d-----w	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-23 21:58	---------	d-----w	c:\program files\Google
2009-04-10 21:48	66,576	----a-w	c:\program files\mozilla firefox\components\bdfcfabdecfdbba.dll
2009-01-10 06:02	2,713	--sh--w	c:\windows\system32\kujonage.dll
2008-12-09 17:52	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes ) 
Infected c:\windows\system32\user32.dll hex repaired


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"PeerGuardian"="g:\program files\PeerGuardian2\pg2.exe" [2009-04-10 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-31 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"Whopucizepu"="c:\windows\ofevehamirolu.dll" [2009-04-08 159232]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-01-13 169472]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-29 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.dvacm"= dvacm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ   	cli dtigopx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Program Files\\Gmail Notifier\\gnotify.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28570:TCP"= 28570:TCP:eMule TCP
"9469:UDP"= 9469:UDP:eMule UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-27 64160]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2007-06-04 84529]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-06-05 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-09-03 19534]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2003-12-19 12160]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-20 33752]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys --> c:\windows\system32\DRIVERS\klim5.sys [?]
S3 lac97inf;lac97inf;\??\c:\docume~1\Matt\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Matt\LOCALS~1\Temp\lac97inf.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F3-42BD-F434-2604812C8954} - c:\windows\system32\hsf73ikmdf3f.dll
BHO-{cafd22b3-e5fd-416e-bd0d-21033455b078} - c:\windows\system32\lujetifi.dll
HKCU-Run-Steam - c:\program files\steam\steam.exe
HKCU-Run-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
HKLM-Run-009db28f - c:\windows\system32\gihujasu.dll
SharedTaskScheduler-{B2BA40A2-74F3-42BD-F434-2604812C8954} - c:\windows\system32\hsf73ikmdf3f.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kiduruka.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xanga.com/private/yourhome.aspx?user=pimpin_potter
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/197327f80eb305cb8306/netzip/RdxIE601.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\jwjue9jy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?p=303311#post303311
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\components\bdfcfabdecfdbba.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: g:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 21:27:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  


c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys 39936 bytes executable
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\111965fe3459b78cacf1ed4d883df843]
"ImagePath"="system32\111965fe3459b78cacf1ed4d883df843.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,fc,bd,91,37,73,
   a7,8f,c2,c8,28,51,af,b0,29,a3,98,c1,ac,66,f0,3c,67,fd,50,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,95,5c,67,fb,b7,
   d4,0f,0f,71,3b,04,66,8b,46,0d,96,e8,37,b4,be,66,e5,9e,5f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4d,7e,96,96,41,
   aa,67,68,25,da,ec,7e,55,20,c9,26,11,4b,19,74,c9,0b,96,42,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,51,f7,8d,05,75,
   2f,8e,77,3e,1e,9e,e0,57,5a,93,61,da,57,62,6b,47,68,bc,83,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ff,5d,d3,01,e9,
   ba,9e,b5,cd,44,cd,b9,a6,33,6c,cd,74,6d,84,01,9f,c7,14,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,53,d8,68,3c,71,
   fc,16,58,b0,18,ed,a7,3f,8d,37,a4,7e,54,05,37,f2,f6,5d,08,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,ed,c5,32,cc,5c,
   ff,ae,eb,31,77,e1,ba,b1,f8,68,02,25,7e,03,43,88,2f,df,33,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,31,a0,3c,57,33,
   37,c7,c7,83,6c,56,8b,a0,85,96,ab,4a,bc,6a,36,97,5b,95,1c,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,68,31,e6,f9,c6,
   67,0f,12,51,fa,6e,91,28,9e,14,cc,35,3a,3d,06,d3,ea,12,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ab,b9,b3,fb,46,
   eb,96,55,b1,cd,45,5a,a8,c4,f8,b9,df,38,07,23,16,4e,3d,aa,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e0,87,01,cb,7b,
   ce,6c,92,e3,0e,66,d5,eb,bc,2f,6b,a9,5e,31,69,51,b2,b8,c7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,de,75,72,90,38,
   20,86,97,fa,ea,66,7f,d4,3b,6b,70,e8,53,bf,49,80,1a,8a,ef,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(860)
c:\windows\dtigopx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-04-10 21:46:07 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt  2009-04-11 02:46:04

Pre-Run: 1,148,157,952 bytes free
Post-Run: 2,083,098,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

3002	--- E O F ---	2008-12-18 04:55:08

**katana** · 2009-04-11, 12:13

Well, that certainly cleared a lot

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://forums.spybot.info/showthread.php?p=304254#post304254
Comment:: Katana
Suspect::[4]
c:\windows\system32\glzeyhf
c:\windows\Ojiwafabipe.dat
c:\windows\Nqufuruya.bin
C:\lrkl.exe
C:\onspqrnk.exe
C:\fkajlvl.exe
C:\ovmhmkie.exe
c:\windows\mqcd.dbt
c:\windows\system32\nvtpm32.dll
C:\wlct.exe
c:\windows\system32\azton.mt
c:\windows\system32\er3r.pxf
C:\jurj.exe
c:\windows\system32\kei1w.an
c:\windows\system32\fe3.wa
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
C:\kgqxi.exe
C:\10334752
c:\windows\instsp2.exe
c:\windows\ofevehamirolu.dll
c:\Program Files\mozilla firefox\components\bdfcfabdecfdbba.dll
c:\windows\system32\kujonage.dll
c:\windows\dtigopx.dll
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
File::
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir
c:\windows\dtigopx.dll
c:\windows\system32\glzeyhf
c:\windows\Ojiwafabipe.dat
c:\windows\Nqufuruya.bin
C:\lrkl.exe
C:\onspqrnk.exe
C:\fkajlvl.exe
C:\ovmhmkie.exe
c:\windows\mqcd.dbt
c:\windows\system32\nvtpm32.dll
C:\wlct.exe
c:\windows\system32\azton.mt
c:\windows\system32\er3r.pxf
C:\jurj.exe
c:\windows\system32\kei1w.an
c:\windows\system32\fe3.wa
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
C:\kgqxi.exe
C:\10334752
c:\windows\instsp2.exe
c:\windows\ofevehamirolu.dll
c:\Program Files\mozilla firefox\components\bdfcfabdecfdbba.dll
c:\windows\system32\kujonage.dll
Folder::
Driver::
Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\111965fe3459b78cacf1ed4d883df843]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Whopucizepu"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28570:TCP"=-
"9469:UDP"=-
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. (CleanMe)
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 5

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
Combofix Log
Installed Programs List
Kaspersky Log
How are things running now ?

**invisiblegardener** · 2009-04-12, 02:14

Okay, here we go. Once again the logs were too long to paste, so all four are in the attached zip file.

Things are running a lot better now. I haven't had a pop-up or redirection and I can run programs that had been blocked. I still get an I/O device error every time I try to use one of my CD/DVD drives. I suppose this could be unrelated but the timing seemed very suspicious. What anti-malware program is the best to keep running continuously from now on? Thanks again!

**katana** · 2009-04-12, 12:12

Please open LINK >>> THIS PAGE <<<LINK in a new window.

In the box marked Link to topic where this file was requested: please put this text

Code:

http://forums.spybot.info/showthread.php?p=304469#post304469

In the box marked Browse to the file you want to submit: please put this text

Code:

C:\Qoobox\Quarantine\[4]-Submit_2009-04-11@12.49.zip

In the Largest box please put

Code:

File Requested By Katana
Failed CF Submit

Finally click SendFile

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\WINDOWS\system32\gesudofi.exe
C:\WINDOWS\system32\vufurajo.exe
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
c:\windows\system32\Suspect_111965fe3459b78cacf1ed4d883df843.sys.vir
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\111965fe3459b78cacf1ed4d883df843]

ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Older versions of Java have vulnerabilities that malware can use to infect your system.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location. (You don't need to post it)

You can delete JavaRa (zip and exe)

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 7.1.0

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

Now close the Control Panel.

----------------------------------------------------------- -----------------------------------------------------------

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
RSIT logs
How are things running now ?

Thread: Major infection - can't run Spybot or HJT - please help! (Resolved)

Thread Tools

Display

Major infection - can't run Spybot or HJT - please help! (Resolved)

Posting Permissions