jimmy2in1

Hello,
I am experiencing THE WORST virus ever! I received the virus after downloading a program called "aShampoo Uninstaller," which was supposed to cleanse my computer, not infect it. After installing it, my computer slowed down and eventually froze. After rebooting and uninstalling the app, thats when the problem started.

I started receiving suspicious scripts that Windows asked for me to allow or kill(which I of course killed). I tried going online and I no longer could. I tried running Spybot S&D, since I had it on my computer already and it wouldn't update, so I couldn't run it. I ran Spyware Blaster(had it installed previously as well) and my computer crashed(I was in Normal Mode). I ran it again in Safe Mode and it worked; I removed the malware and adware from the scan(or so I thought).

My computer now shows a blue desktop that says something like:"You're computer has been infected with spyware...................click here to scan your PC for spyware".

I can't open the Task Manager, it says something like:"Task Manager has been disabled". I'm the administrator though.
I can't go online. It will not let me. I'm using my roommates computer.
I can't use my help and support feature. It won't let me open it.
I can't open my Add/Remove Programs feature now. It won't let me.
It will not even let me format the drive.

This is the worst virus I have ever dealt with.

I ran the dss.exe twice and it did not provide me with an extra.txt.

Deckard's System Scanner v20071014.68
Run by Jimmy on 2008-04-23 19:41:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jimmy.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-23 19:41:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\McAfee.com\VSO\McShield.exe
C:\Program Files\McAfee.com\Agent\McTskshd.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jimmy\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {e398eb5c-361a-4a9b-8850-c291e8fd0769} - C:\WINDOWS\system32\geBsrRkj.dll
O2 - BHO: (no name) - {f50b3f5e-856e-4757-9bb1-b35d46ca7719} - C:\WINDOWS\system32\vtUonkjj.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Magic Boss Key] C:\Program Files\Magicboss\mgboss.exe -min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Jimmy\cftmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\DOS\directory\msconfig.exe /auto
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /M "Stylus CX6600" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Real Desktop] "C:\Program Files\Real Desktop\Real Desktop.exe"
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jimmy\cftmon.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jimmy\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'C:\Program Files\webHancer\Programs\webhdll.dllO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166853266390
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/downlo...4/clearadj.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} () - http://download.abacast.com/download...nt2.1.20.2.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: ibudu - C:\WINDOWS\system32\ibudu.dll
O20 - Winlogon Notify: vtUonkjj - C:\WINDOWS\system32\vtUonkjj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MsSecurity Updated (mssecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O24 - Desktop Component 0: - C:\Documents and Settings\Jimmy\My Documents\YKM Logos\YKM Logo on Black Background.jpg

--
End of file - 12824 bytes

-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 16:34:40 2560 --a------ C:\WINDOWS\system32\itcoe.sys
2008-04-23 16:30:38 29952 --a------ C:\WINDOWS\swin32.dll
2008-04-23 05:44:54 7168 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-04-22 17:35:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 17:35:13 0 d-------- C:\Program Files\SpywareBlaster
2008-04-22 17:25:15 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-22 17:25:15 2549 --a------ C:\WINDOWS\unins000.dat
2008-04-22 17:10:47 27904 --a------ C:\WINDOWS\stcloader.exe
2008-04-22 17:10:45 23808 --a------ C:\WINDOWS\voiceip.dll
2008-04-22 17:10:45 10752 --a------ C:\WINDOWS\cdsm32.dll
2008-04-22 17:10:45 8704 --a------ C:\WINDOWS\bokja.exe
2008-04-22 17:10:41 18176 --a------ C:\WINDOWS\mssvr.exe
2008-04-22 17:10:41 17920 --a------ C:\WINDOWS\mspphe.dll
2008-04-22 17:10:41 13824 --a------ C:\WINDOWS\bjam.dll
2008-04-22 17:10:41 20736 --a------ C:\WINDOWS\2020search2.dll
2008-04-22 17:10:41 30720 --a------ C:\WINDOWS\2020search.dll
2008-04-22 17:10:29 29440 --a------ C:\WINDOWS\saiemod.dll
2008-04-22 17:10:26 9216 --a------ C:\WINDOWS\msapasrc.dll
2008-04-22 17:10:26 23296 --a------ C:\WINDOWS\msa64chk.dll
2008-04-22 17:10:23 31232 --a------ C:\WINDOWS\shdocpl.dll
2008-04-22 17:10:22 31744 --a------ C:\WINDOWS\ntnut.exe
2008-04-22 17:10:21 27904 --a------ C:\WINDOWS\shdocpe.dll
2008-04-22 17:10:20 27648 --a------ C:\WINDOWS\winsb.dll
2008-04-22 17:10:20 20736 --a------ C:\WINDOWS\browserad.dll
2008-04-22 17:10:19 13312 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-22 17:10:19 20224 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-22 17:10:19 30976 --a------ C:\WINDOWS\avifile32.dll
2008-04-22 17:10:18 24064 --a------ C:\WINDOWS\autodisc32.dll
2008-04-22 17:10:18 8960 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-22 17:10:18 32000 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-22 17:10:17 8448 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-22 17:10:17 27648 --a------ C:\WINDOWS\athprxy32.dll
2008-04-22 17:10:17 23552 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-22 17:10:16 26368 --a------ C:\WINDOWS\asferror32.dll
2008-04-22 17:10:16 30208 --a------ C:\WINDOWS\apphelp32.dll
2008-04-22 17:10:15 16384 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-22 16:02:40 6672 --a------ C:\WINDOWS\system32\ibudu.dll
2008-04-22 15:42:29 61952 --a------ C:\WINDOWS\system32\gkpaxt.exe
2008-04-22 15:42:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-22 15:42:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\MEGAUPLOADTOOLBAR
2008-04-22 15:42:02 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-22 15:41:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-22 15:41:25 0 d-------- C:\Program Files\Bat
2008-04-22 15:41:19 89515 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-22 15:41:19 89515 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-22 15:41:09 28672 --a------ C:\WINDOWS\winself.exe
2008-04-22 15:41:07 37376 --a------ C:\WINDOWS\mrofinu1645.exe
2008-04-22 15:40:59 67506 --a------ C:\WINDOWS\fkjdfje.sys
2008-04-22 15:40:59 7168 --a------ C:\d.exe
2008-04-22 15:40:35 2 --a------ C:\1416442678
2008-04-22 15:40:25 61952 --a------ C:\gkpaxt.exe
2008-04-22 15:40:24 71168 --a------ C:\njhxmjb.exe
2008-04-22 15:40:24 7168 --a------ C:\Documents and Settings\Jimmy\cftmon.exe
2008-04-22 15:40:23 13824 --a------ C:\ygnat.exe
2008-04-22 15:40:16 39936 --a------ C:\WINDOWS\system32\awtrQjGW.dll
2008-04-22 14:55:51 8559 --ahs---- C:\WINDOWS\system32\jkRrsBeg.ini2
2008-04-22 14:55:46 272384 --a------ C:\WINDOWS\system32\geBsrRkj.dll
2008-04-22 14:55:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-04-22 14:51:13 0 d-------- C:\Documents and Settings\All Users\Application Data\eboostr
2008-04-22 14:50:37 39936 --a------ C:\WINDOWS\system32\vtUonkjj.dll
2008-04-22 13:54:07 0 d-------- C:\Program Files\Driver PLL
2008-04-10 03:28:59 40960 --a------ C:\WINDOWS\system32\xpadfrc.dll <Not Verified; XPAD; XPADFRC>
2008-04-10 03:28:58 176128 --a------ C:\WINDOWS\system32\GGE910cp.dll
2008-04-10 03:28:58 0 d-------- C:\WINDOWS\system32\ffb
2008-04-10 03:28:57 29405 --a------ C:\WINDOWS\system32\drivers\xpad910.sys <Not Verified; Compuware Corporation; DriverStudio>
2008-04-10 03:28:57 0 d-------- C:\Program Files\Game Elements
2008-04-06 10:29:24 0 d-------- C:\Program Files\Rockstar Games
2008-04-04 22:25:28 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-04 22:25:22 0 d-------- C:\Documents and Settings\Jimmy\Application Data\CyberLink
2008-04-04 22:20:33 0 d-------- C:\Program Files\Common Files\CyberLink
2008-04-04 22:19:03 0 d-------- C:\Program Files\CyberLink
2008-04-03 15:43:10 0 d-------- C:\Program Files\WizardWorks
2008-03-31 19:48:50 0 d-------- C:\Documents and Settings\Jimmy\Application Data\Off Road
2008-03-31 19:39:12 0 d-------- C:\Program Files\Xplosiv
2008-03-31 19:34:32 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-03-31 19:34:30 0 d-------- C:\Program Files\MagicDisc
2008-03-28 10:56:59 984576 --a------ C:\WINDOWS\system32\Ole32drv.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-28 10:55:49 0 d-------- C:\Program Files\EzGenerator3
2008-03-26 15:11:43 0 d-------- C:\Documents and Settings\Jimmy\Application Data\Stamps.com Internet Postage
2008-03-26 15:10:58 0 d-------- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2008-03-26 15:09:51 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-03-26 15:09:51 0 d-------- C:\Program Files\Stamps.com Internet Postage
2008-03-24 23:13:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-23 10:12:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-23 14:33:15 0 d-------- C:\Documents and Settings\Jimmy\Application Data\MegauploadToolbar
2008-04-23 12:49:48 0 d-------- C:\Documents and Settings\Jimmy\Application Data\Vso
2008-04-23 07:49:59 0 d-------- C:\Program Files\EndItAll
2008-04-23 05:50:18 0 d-------- C:\Program Files\PeerGuardian2
2008-04-22 18:04:04 1130 --a------ C:\sccfg.sys
2008-04-22 14:53:29 0 d-------- C:\Documents and Settings\Jimmy\Application Data\uTorrent
2008-04-18 10:21:32 0 d-------- C:\Program Files\ Firefox
2008-04-06 10:29:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-04 22:20:33 0 d-------- C:\Program Files\Common Files
2008-03-27 11:20:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-24 23:15:12 0 d-------- C:\Program Files\Google
2008-03-24 14:50:10 668 --a------ C:\Documents and Settings\Jimmy\Application Data\vso_ts_preview.xml
2008-03-24 10:51:45 0 d-------- C:\Program Files\Xvid
2008-03-22 13:22:27 0 d-------- C:\Program Files\Schillergames.Real.Desktop.v1.32a-DVT
2008-03-22 13:22:27 0 d-------- C:\Program Files\Real Desktop
2008-03-21 10:36:21 0 d-------- C:\Program Files\BestGameEver
2008-03-21 10:08:27 0 d-------- C:\Program Files\MagicISO
2008-03-21 08:57:30 0 d-------- C:\Documents and Settings\Jimmy\Application Data\Real Desktop
2008-03-12 21:52:28 0 d-------- C:\Documents and Settings\Jimmy\Application Data\Adobe
2008-03-10 23:37:57 0 d-------- C:\Documents and Settings\Jimmy\Application Data\Move Networks
2008-03-01 14:37:12 0 d-------- C:\Program Files\VSO
2008-02-27 13:03:50 0 d-------- C:\Program Files\Personal Voice Changer Driver
2008-02-27 03:29:02 0 d-------- C:\Program Files\Fake Voice
2008-02-25 18:21:28 0 d-------- C:\Program Files\Quicken
2008-02-25 18:20:07 0 d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-02-24 20:03:10 0 d-------- C:\Program Files\Common Files\eSellerate
2008-02-24 20:03:04 0 d-------- C:\Program Files\Memeo
2008-02-23 15:52:53 0 d-------- C:\Program Files\Firefox
2008-02-23 15:52:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-03 15:00:26 3532 --a------ C:\drmHeader.bin
2008-02-02 12:02:23 123768 --a------ C:\Documents and Settings\Jimmy\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e398eb5c-361a-4a9b-8850-c291e8fd0769}]
04/22/2008 02:55 PM 272384 --a------ C:\WINDOWS\system32\geBsrRkj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719}]
04/22/2008 02:50 PM 39936 --a------ C:\WINDOWS\system32\vtUonkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/28/2004 11:19 PM C:\WINDOWS\SOUNDMAN.EXE]
"ATIModeChange"="Ati2mdxx.exe" [01/28/2004 11:20 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/12/2003 09:10 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [01/28/2004 11:22 PM]
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.exe" [02/29/2004 07:00 PM]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 06:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 12:49 PM]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [05/28/2003 05:37 PM]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" []
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 10:02 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 01:05 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [09/22/2005 07:29 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/01/2007 07:23 PM]
"Magic Boss Key"="C:\Program Files\Magicboss\mgboss.exe" [01/17/2008 08:34 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 04:27 PM]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [03/20/2008 08:23 PM]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [12/14/2007 11:36 AM]
"autoload"="C:\Documents and Settings\Jimmy\cftmon.exe" [04/22/2008 03:40 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"MSConfig"="C:\DOS\directory\msconfig.exe" [10/19/2007 02:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.exe" [02/29/2004 07:00 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [10/24/2007 04:04 PM]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 07:40 PM]
"Real Desktop"="C:\Program Files\Real Desktop\Real Desktop.exe" []
"autoload"="C:\Documents and Settings\Jimmy\cftmon.exe" [04/22/2008 03:40 PM]
"Jnskdfmf9eldfd"="C:\DOCUME~1\Jimmy\LOCALS~1\Temp\csrssc.exe" [04/22/2008 05:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Jimmy\My Documents\YKM Logos\YKM Logo on Black Background.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F50B3F5E-856E-4757-9BB1-B35D46CA7719}"= C:\WINDOWS\system32\vtUonkjj.dll [04/22/2008 02:50 PM 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibudu]
ibudu.dll 04/22/2008 04:02 PM 6672 C:\WINDOWS\system32\ibudu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUonkjj]
vtUonkjj.dll 04/22/2008 02:50 PM 39936 C:\WINDOWS\system32\vtUonkjj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBsrRkj

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=C:\WINDOWS\pss\QuickTV.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^jimmy^start menu^programs^startup^bat - auto update.lnk]
path=C:\Documents and Settings\Jimmy\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jimmy^Start Menu^Programs^Startup^Registration-INSDVD.lnk]
path=C:\Documents and Settings\Jimmy\Start Menu\Programs\Startup\Registration-INSDVD.lnk
backup=C:\WINDOWS\pss\Registration-INSDVD.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonCom]
C:\WINDOWS\VdCap03C\BisonCom

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMon]
C:\WINDOWS\system32\keyrec\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee QuickClean Imonitor]
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvtt]
C:\WINDOWS\system32\gkpaxt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]
"C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToneThis]
C:\Program Files\ToneThis 3.0\tonethis.exe -autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-04-23 19:43:34 ------------

greyknight17

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall webHancer vai the Add/Remove Programs panel if found.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {e398eb5c-361a-4a9b-8850-c291e8fd0769} - C:\WINDOWS\system32\geBsrRkj.dll
O2 - BHO: (no name) - {f50b3f5e-856e-4757-9bb1-b35d46ca7719} - C:\WINDOWS\system32\vtUonkjj.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Jimmy\cftmon.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jimmy\cftmon.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jimmy\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O20 - Winlogon Notify: ibudu - C:\WINDOWS\system32\ibudu.dll
O20 - Winlogon Notify: vtUonkjj - C:\WINDOWS\system32\vtUonkjj.dll
O23 - Service: MsSecurity Updated (mssecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop mssecurity1.209.4
sc delete mssecurity1.209.4
sc stop Schedule
sc delete Schedule
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Download OTMoveIt2 at http://download.bleepingcomputer.com.../OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\1416442678
C:\d.exe
C:\DOCUME~1\Jimmy\LOCALS~1\Temp\csrssc.exe
C:\Documents and Settings\Jimmy\cftmon.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\gkpaxt.exe
C:\njhxmjb.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\fkjdfje.sys
C:\WINDOWS\lfn.exe
C:\WINDOWS\mrofinu1645.exe
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\awtrQjGW.dll
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\geBsrRkj.dll
C:\WINDOWS\system32\gkpaxt.exe
C:\WINDOWS\system32\ibudu.dll
C:\WINDOWS\system32\itcoe.sys
C:\WINDOWS\system32\jkRrsBeg.ini2
C:\WINDOWS\system32\vtUonkjj.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe
C:\ygnat.exe
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Bat
C:\Program Files\webHancer\
C:\Documents and Settings\All Users\Application Data\Ashampoo
C:\Documents and Settings\All Users\Application Data\eboostr

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebyt...are_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools

jimmy2in1

I wasn't able to uninstall webHancer via Add/Remove Programs, because it wouldn't let me into the Add/Remove Programs list, at first. I was however, able to get into it after I ran Malwarebytes Anti-Malware, but webHancer was not in the list at that time.
I ran the ATF Cleaner. I was able to perform the function without any problems.

Ran HijackThis, and tried to fix the errors. It would not fix this item:
O10 - Broken Internet access because of LSP provider 'C:\Program Files\webHancer\Programs\webhdll.dll
which I'm guessing is why I still can't go online(currently using roommates computer). It told me I would be able to fix it through Spybot S&D, and I tried that but Spybot wouldn't let me check for problems because it saying: "You need to install the detection updates first by using the integrated update or the manual updater."

I created the "delete.bat" file, ran it, and it seemed like there were no problems.

Ran OTMoveit2, after pressing the red MoveIt! button, there were alot of "Bad Image" alerts that popped up.

C:\1416442678 moved successfully.
C:\d.exe moved successfully.
File/Folder C:\DOCUME~1\Jimmy\LOCALS~1\Temp\csrssc.exe not found.
C:\Documents and Settings\Jimmy\cftmon.exe moved successfully.
C:\Documents and Settings\LocalService\cftmon.exe moved successfully.
C:\gkpaxt.exe moved successfully.
C:\njhxmjb.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search.dll NOT unregistered.
C:\WINDOWS\2020search.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search2.dll NOT unregistered.
C:\WINDOWS\2020search2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\apphelp32.dll
C:\WINDOWS\apphelp32.dll NOT unregistered.
C:\WINDOWS\apphelp32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\asferror32.dll
C:\WINDOWS\asferror32.dll NOT unregistered.
C:\WINDOWS\asferror32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asycfilt32.dll NOT unregistered.
C:\WINDOWS\asycfilt32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\athprxy32.dll
C:\WINDOWS\athprxy32.dll NOT unregistered.
C:\WINDOWS\athprxy32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvaa32.dll NOT unregistered.
C:\WINDOWS\ati2dvaa32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\audiosrv32.dll NOT unregistered.
C:\WINDOWS\audiosrv32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\autodisc32.dll
C:\WINDOWS\autodisc32.dll NOT unregistered.
C:\WINDOWS\autodisc32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\avifile32.dll
C:\WINDOWS\avifile32.dll NOT unregistered.
C:\WINDOWS\avifile32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avisynthex32.dll NOT unregistered.
C:\WINDOWS\avisynthex32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\aviwrap32.dll NOT unregistered.
C:\WINDOWS\aviwrap32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\bjam.dll
C:\WINDOWS\bjam.dll NOT unregistered.
C:\WINDOWS\bjam.dll moved successfully.
C:\WINDOWS\bokja.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\browserad.dll
C:\WINDOWS\browserad.dll NOT unregistered.
C:\WINDOWS\browserad.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cdsm32.dll NOT unregistered.
C:\WINDOWS\cdsm32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\changeurl_30.dll NOT unregistered.
C:\WINDOWS\changeurl_30.dll moved successfully.
File move failed. C:\WINDOWS\fkjdfje.sys scheduled to be moved on reboot.
C:\WINDOWS\lfn.exe moved successfully.
C:\WINDOWS\mrofinu1645.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msa64chk.dll NOT unregistered.
C:\WINDOWS\msa64chk.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msapasrc.dll NOT unregistered.
C:\WINDOWS\msapasrc.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mspphe.dll
C:\WINDOWS\mspphe.dll NOT unregistered.
C:\WINDOWS\mspphe.dll moved successfully.
C:\WINDOWS\mssvr.exe moved successfully.
C:\WINDOWS\ntnut.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\saiemod.dll
C:\WINDOWS\saiemod.dll NOT unregistered.
C:\WINDOWS\saiemod.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpe.dll NOT unregistered.
C:\WINDOWS\shdocpe.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\shdocpl.dll
C:\WINDOWS\shdocpl.dll NOT unregistered.
C:\WINDOWS\shdocpl.dll moved successfully.
C:\WINDOWS\stcloader.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\swin32.dll
C:\WINDOWS\swin32.dll NOT unregistered.
C:\WINDOWS\swin32.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awtrQjGW.dll
C:\WINDOWS\system32\awtrQjGW.dll NOT unregistered.
C:\WINDOWS\system32\awtrQjGW.dll moved successfully.
File/Folder C:\WINDOWS\system32\drivers\spools.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\geBsrRkj.dll
C:\WINDOWS\system32\geBsrRkj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\geBsrRkj.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\gkpaxt.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ibudu.dll
C:\WINDOWS\system32\ibudu.dll NOT unregistered.
C:\WINDOWS\system32\ibudu.dll moved successfully.
C:\WINDOWS\system32\itcoe.sys moved successfully.
C:\WINDOWS\system32\jkRrsBeg.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vtUonkjj.dll
C:\WINDOWS\system32\vtUonkjj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\vtUonkjj.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\winfrun32.bin moved successfully.
C:\WINDOWS\system32\wmsdkns.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\voiceip.dll
C:\WINDOWS\voiceip.dll NOT unregistered.
C:\WINDOWS\voiceip.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\winsb.dll
C:\WINDOWS\winsb.dll NOT unregistered.
C:\WINDOWS\winsb.dll moved successfully.
C:\WINDOWS\winself.exe moved successfully.
C:\ygnat.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer moved successfully.
C:\Documents and Settings\All Users\Application Data\Rabio moved successfully.
C:\Program Files\Bat moved successfully.
Folder C:\Program Files\webHancer\ not found.
C:\Documents and Settings\All Users\Application Data\Ashampoo\Ashampoo UnInstaller 3 moved successfully.
C:\Documents and Settings\All Users\Application Data\Ashampoo moved successfully.
C:\Documents and Settings\All Users\Application Data\eboostr moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04252008_132616

Files moved on Reboot...
File move failed. C:\WINDOWS\fkjdfje.sys scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\geBsrRkj.dll
C:\WINDOWS\system32\geBsrRkj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\geBsrRkj.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vtUonkjj.dll
C:\WINDOWS\system32\vtUonkjj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\vtUonkjj.dll scheduled to be moved on reboot.

-------------------------------------
And finally I ran MBAM.

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 331723
Time elapsed: 2 hour(s), 49 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 31
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBsrRkj.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9823985d-83e3-44ce-9117-1cde34f85625} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9823985d-83e3-44ce-9117-1cde34f85625} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebsrrkj -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBsrRkj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkRrsBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkRrsBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0422649.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0423652.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0424646.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0424648.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0424649.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0424656.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99CC7639-5853-44CB-8303-55CF052E120E}\RP684\A0424667.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04252008_132616\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04252008_132616\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04252008_132616\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04252008_132616\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Desktop\Install WinAntiVirus Pro 2006 .lnk (Rogue.Link) -> Quarantined and deleted successfully.

jimmy2in1

Update:
After the last log I posted, I ran Combofix, and now my internet is working,although its not showing any images on any of the webpages. I'm gonna wait for your reply before I go on any site where I gotta put my important information in.

greyknight17

It was a mistake on my part for fixing that entry in HijackThis. Do this instead to see if it's still there:

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Check the box that says I know what I'm doing. Click on webhdll.dll on the left window and then click on the arrow pointing to the right. Click Finish and follow the prompts.

Where's the combofix log? It should be in C:\ComboFix.txt

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools

jimmy2in1

Sorry about the Combofix log, I guess I thought you said that in case I had problems with MBAM disinfection process, run Combofix.

I ran LSPfix, but there was no webhdll.dll. I did get my internet up and running normal again though.

-----------------------------------
ComboFix 08-04-24.1 - Jimmy 2008-04-26 9:13:11.2 - NTFSx86
Running from: C:\Documents and Settings\Jimmy\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\default.htm
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\vtUonkjj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-25 13:43 . 2008-04-25 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 13:43 . 2008-04-25 13:43 <DIR> d-------- C:\Documents and Settings\Jimmy\Application Data\Malwarebytes
2008-04-25 13:43 . 2008-04-25 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 13:26 . 2008-04-25 13:26 <DIR> d-------- C:\_OTMoveIt
2008-04-22 17:35 . 2008-04-22 17:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-22 17:35 . 2008-04-23 07:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 17:25 . 2008-04-22 17:24 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-22 17:25 . 2008-04-22 17:25 2,549 --a------ C:\WINDOWS\unins000.dat
2008-04-22 17:15 . 2008-04-22 17:15 <DIR> d-------- C:\Deckard
2008-04-22 15:42 . 2008-04-22 15:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\MEGAUPLOADTOOLBAR
2008-04-22 15:41 . 2008-04-22 15:41 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-22 15:41 . 2008-04-23 16:35 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-22 15:41 . 2008-04-25 13:31 4 -r-hs---- C:\WINDOWS\megavid.cdt
2008-04-22 15:40 . 2008-04-22 15:40 67,506 --a------ C:\WINDOWS\fkjdfje.sys
2008-04-22 13:54 . 2008-04-22 14:25 <DIR> d-------- C:\Program Files\Driver PLL
2008-04-10 03:29 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-10 03:29 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-10 03:28 . 2008-04-26 04:22 <DIR> d-------- C:\Program Files\Game Elements
2008-04-10 03:28 . 2006-02-08 13:41 176,128 --a------ C:\WINDOWS\system32\GGE910cp.dll
2008-04-10 03:28 . 2005-12-27 13:50 40,960 --a------ C:\WINDOWS\system32\xpadfrc.dll
2008-04-06 10:29 . 2008-04-06 10:29 <DIR> d-------- C:\Program Files\Rockstar Games
2008-04-04 22:25 . 2008-04-04 22:25 <DIR> d-------- C:\Documents and Settings\Jimmy\Application Data\CyberLink
2008-04-04 22:25 . 2008-04-07 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-04 22:20 . 2008-04-04 22:20 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-04-04 22:19 . 2008-04-04 22:19 <DIR> d-------- C:\Program Files\CyberLink
2008-04-04 22:18 . 2008-04-04 22:17 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-03 15:43 . 2008-04-03 15:43 <DIR> d-------- C:\Program Files\WizardWorks
2008-03-31 19:48 . 2008-04-02 14:38 <DIR> d-------- C:\Documents and Settings\Jimmy\Application Data\Off Road
2008-03-31 19:39 . 2008-03-31 19:39 <DIR> d-------- C:\Program Files\Xplosiv
2008-03-31 19:34 . 2008-03-31 19:35 <DIR> d-------- C:\Program Files\MagicDisc
2008-03-31 19:34 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-03-28 10:56 . 2007-04-16 08:52 984,576 --a------ C:\WINDOWS\system32\Ole32drv.DLL
2008-03-28 10:56 . 2008-04-04 15:15 40 --a------ C:\WINDOWS\iltwain.ini
2008-03-28 10:55 . 2008-03-28 11:37 <DIR> d-------- C:\Program Files\EzGenerator3
2008-03-26 15:11 . 2008-04-21 10:02 <DIR> d-------- C:\Documents and Settings\Jimmy\Application Data\Stamps.com Internet Postage
2008-03-26 15:09 . 2008-04-26 04:28 <DIR> d-------- C:\Program Files\Stamps.com Internet Postage
2008-03-26 15:09 . 2008-04-21 10:02 36 --ah----- C:\WINDOWS\system32\f9t.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 16:17 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-26 16:09 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\MegauploadToolbar
2008-04-26 12:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 12:22 --------- d-----w C:\Documents and Settings\Guest\Application Data\MEGAUPLOADTOOLBAR
2008-04-25 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-24 17:15 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\Vso
2008-04-23 14:49 --------- d-----w C:\Program Files\EndItAll
2008-04-23 13:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-23 01:04 1,130 ----a-w C:\sccfg.sys
2008-04-22 21:53 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\uTorrent
2008-04-18 17:21 --------- d-----w C:\Program Files\ Firefox
2008-04-09 00:01 --------- d-----w C:\Documents and Settings\Erica\Application Data\MEGAUPLOADTOOLBAR
2008-04-08 23:48 --------- d-----w C:\Documents and Settings\Erica\Application Data\LimeWire
2008-03-27 18:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-25 06:15 --------- d-----w C:\Program Files\Google
2008-03-24 17:51 --------- d-----w C:\Program Files\Xvid
2008-03-22 20:22 --------- d-----w C:\Program Files\Schillergames.Real.Desktop.v1.32a-DVT
2008-03-22 20:22 --------- d-----w C:\Program Files\Real Desktop
2008-03-21 17:36 --------- d-----w C:\Program Files\BestGameEver
2008-03-21 17:08 --------- d-----w C:\Program Files\MagicISO
2008-03-21 15:57 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\Real Desktop
2008-03-11 06:37 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\Move Networks
2008-03-01 21:37 --------- d-----w C:\Program Files\VSO
2008-02-27 20:03 --------- d-----w C:\Program Files\Personal Voice Changer Driver
2008-02-27 10:29 --------- d-----w C:\Program Files\Fake Voice
2008-02-26 01:21 --------- d-----w C:\Program Files\Quicken
2008-02-26 01:20 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
2008-02-03 22:00 3,532 ----a-w C:\drmHeader.bin
2008-02-02 19:02 123,768 ----a-w C:\Documents and Settings\Jimmy\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 02:24 47,360 -c--a-w C:\Documents and Settings\Jimmy\Application Data\pcouffin.sys
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2006-10-15 21:41 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012006101520061016\index.dat
.

------- Sigcheck -------

2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-12 19:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$hf_mig$\KB913446\SP2GDR\tcpip.sys
2006-01-13 10:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-01-12 18:13 340480 8c101c9c566e2384af28ef7c1de4a36e C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2002-08-29 05:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtUninstallKB893066_0$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066_1$\tcpip.sys
2005-05-25 12:41 339968 228b0385bbfca24332fa22db45a8b684 C:\WINDOWS\$NtUninstallKB913446_0$\tcpip.sys
2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446_1$\tcpip.sys
2006-01-12 19:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-09-15 06:49 359808 e5331f274ae252fd121fef00cb9fe3d2 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-01 12:30 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-01 12:30 3