Viscious malware won't allow spybot or any other anti maleware to run.

The HiJackThis Log File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:52 PM, on 10/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\AOL 9.1c\waol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.1c\shellmon.exe
C:\Program Files\Common Files\AOL\1159913245\EE\aolsoftware.exe
c:\program files\common files\aol\1159913245\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1159913245\EE\aolsoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1c\AOL.EXE" -b
O4 - HKUS\S-1-5-21-3280914454-3957047030-2358322178-1007\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1c\AOL.EXE" -b (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.mhcc.edu
O15 - Trusted Zone: http://*.mhcc.edu
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O23 - Service: McAfee Application Installer Cleanup (0229931254061299) (0229931254061299mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022993~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component 0: (no name) - http://www.theoutlookonline.com/news_graphics/115816374922824500.jpg

--
End of file - 9336 bytes
 
Hello,

Boy, you had a ton of malware, viruses and a rootkit, whatever your doing on the internet you need to change what you have been doing or your going to keep getting infected over and over again, and let me tell ya, there are threats going around now that leave no option but to format and reinstall windows.


Download: DelDomains and save it to the desktop.
  • Close all open windows and your browser
  • Right Click DelDomains.inf and select > Install
  • Reboot your computer
Internet Explorer is needed to run this program properly.




What I would like you to do is to reboot your system and then run this scanner and post the log please.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
 
I'll inform the owner of this computer to change their browsing habits. As I stated earlier, this isn't my PC. Its the 'family' pc... therefore there's a mathbook of variables I don't want to begin comprehending...

I installed the DelDomains.inf and restarted, but the RSIT.exe isn't functioning.
It will open and begin to try "Writing Header Information" but then an "Autolt Error" occurs with the following issue:

Line -1:

Error: Variable used without being declared.

How should I go about this?
 
OK, lets run this one

Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here
 
DDS (Ver_09-09-29.01) - NTFSx86
Run by HP_Administrator at 23:57:22.60 on Mon 10/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [AOL Fast Start] "c:\program files\aol 9.1c\AOL.EXE" -b
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\yafy98wb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLab&query=
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {B8542336-4284-4675-9352-84D2DE8DE27F} - c:\documents and settings\hp_administrator\local settings\application data\{B8542336-4284-4675-9352-84D2DE8DE27F}
FF - HiddenExtension: XULRunner: {5D6BD32C-E7F1-4910-94A0-444E5E7E818F} - c:\documents and settings\administrator\local settings\application data\{5d6bd32c-e7f1-4910-94a0-444e5e7e818f}\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-05 09:49 54,156 a---h--- c:\windows\QTFont.qfn
2009-10-04 12:21 <DIR> --d----- c:\program files\Trend Micro
2009-10-04 12:00 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-10-04 12:00 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 12:00 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-04 12:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 12:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-04 11:59 19,992 a------- c:\windows\system32\qetygyfin.vbs
2009-10-04 11:59 16,773 a------- c:\windows\ekopunolo.reg
2009-10-04 11:59 16,577 a------- c:\docume~1\alluse~1\applic~1\wumilece.sys
2009-10-04 11:59 15,692 a------- c:\docume~1\hp_adm~1\applic~1\ifokojabe.scr
2009-10-04 11:59 15,264 a------- c:\windows\gycyfeda.exe
2009-10-04 11:59 14,148 a------- c:\docume~1\alluse~1\applic~1\ewawehepu.bin
2009-10-04 11:59 14,096 a------- c:\docume~1\hp_adm~1\applic~1\irimavese.reg
2009-10-04 11:59 12,048 a------- c:\program files\common files\oqacicok.com
2009-10-04 11:59 11,053 a------- c:\windows\gavuboz._sy
2009-10-04 11:59 10,940 a------- c:\program files\common files\kumahig.bin
2009-10-04 11:59 10,549 a------- c:\program files\common files\biwu.scr
2009-10-04 11:59 10,358 a------- c:\docume~1\hp_adm~1\applic~1\qapysoc.sys
2009-10-04 11:00 14,683 a------- c:\windows\system32\vaqavisahi.db
2009-10-04 08:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-10-04 08:52 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-04 08:52 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-04 08:52 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-04 08:52 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-04 08:52 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-04 08:52 117,760 -------- c:\windows\system32\prntvpt.dll
2009-10-04 08:52 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-04 08:52 <DIR> --d----- C:\5fb73fb5a2ff3b786c24050f2cbed684
2009-10-04 08:50 <DIR> --d----- c:\program files\MSXML 6.0
2009-10-04 08:44 <DIR> --d----- c:\windows\ServicePackFiles
2009-10-03 12:39 229,888 a------- c:\windows\PEV.exe
2009-10-03 12:39 161,792 a------- c:\windows\SWREG.exe
2009-10-03 12:39 98,816 a------- c:\windows\sed.exe
2009-09-27 03:19 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-09-27 02:59 <DIR> --d----- c:\program files\PALADIN
2009-09-27 02:40 <DIR> --d----- c:\program files\Search & Destroy
2009-09-27 02:03 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\McAfee
2009-09-24 21:41 9,409 a------- c:\windows\system32\Config.MPF
2009-09-24 21:38 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-24 21:38 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-24 21:38 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-24 21:38 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-09-24 21:37 <DIR> --d----- c:\program files\common files\McAfee
2009-09-24 21:37 <DIR> --d----- c:\program files\McAfee.com
2009-09-24 21:35 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-24 21:05 <DIR> --d----- c:\program files\McAfee
2009-09-24 20:01 16,099 a------- c:\windows\ferital.db
2009-09-22 18:04 <DIR> --d----- c:\program files\AOL 9.1c

==================== Find3M ====================

2009-10-05 22:28 18,668 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-10-04 11:59 10,935 a------- c:\program files\common files\niseloj.dl
2009-08-21 02:46 450,560 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 02:11 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 21:53 119,808 -------- c:\windows\system32\t2embed.dll
2009-07-28 21:53 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:53 82,432 -------- c:\windows\system32\fontsub.dll
2009-07-28 21:53 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-18 09:00 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-18 09:00 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 11:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 06:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-05-13 18:47 61,224 a------- c:\documents and settings\hp_administrator\GoToAssistDownloadHelper.exe

============= FINISH: 23:57:55.75 ===============
 
Hi,

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE


Delete all these files and leave them in the Recycle Bin for a few days.

c:\docume~1\alluse~1\applic~1\wumilece.sys

c:\program files\common files\oqacicok.com
c:\program files\common files\kumahig.bin
c:\program files\common files\biwu.scr

c:\windows\gycyfeda.exe
c:\windows\gavuboz._sy
c:\windows\ekopunolo.reg

c:\windows\system32\vaqavisahi.db
c:\windows\system32\qetygyfin.vbs


c:\Documents and settings\hp_adm~1



Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=18baaec4d98d9442964c5470a95f2bc0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-08 02:41:50
# local_time=2009-10-07 07:41:50 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 21 100 85 31504883593750
# scanned=130622
# found=32
# cleaned=32
# scan_time=4787
C:\Documents and Settings\HP_Administrator\Local Settings\temp\C.tmp a variant of Win32/Mebroot.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HP_Administrator\Local Settings\temp\~TMB.tmp Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\lizkavd.exe.vir a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\seres.exe.vir a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\svcst.exe.vir a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\9129837.exe.vir a variant of Win32/Kryptik.ARF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP14\A0004245.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0002738.exe a variant of Win32/Kryptik.ARF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0002739.exe Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP9\A0003617.exe a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP9\A0003667.exe a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP9\A0003670.exe Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP9\A0003809.exe a variant of Win32/Kryptik.ASB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\pss\mhbupd32.exeStartup Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\byezihq Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\luftxwe Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\nujekn Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\rudvp Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\vfmt Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\zxpzgfim Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\dllcache\user32.dll Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\dllcache\zser32.tmp Win32/Pinit virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\wbem\proquota.exe Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP02906\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP02906\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP14\A0004248.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP14\A0004249.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
 
Hello,

Where you able to delete the files I posted ? ESET found some more junk, some of it being backups of what the other scans removed.

Lets take a final check and also let me know how things are running now?

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
 
DJToast as it has been four days or more since your last post, and the helper assisting you posted a response to which you did not reply, this topic has been archived and will not be re-opened. If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you Ken.
 
You must log in or register to reply here.
Back
Top