Print Guy 52

For the past few weeks my computers been running very slow. I've had trouble rebooting, it sometimes takes several attempts.

When I type in a website address I'm often re-directed somewhere other than what website I wanted.

Symantec flagged 4 downloaders titled install.exe. It wasn't able to get rid of all of them. This morning, the computer had 19. Once again, all but 1 were removed. There was also 28 csrss.exe. None of those were found today. Don't know if it's actually gone or not though.

Any help with these issues would be appreciated.

Here is my DDS log


DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 8:05:19.08 on Tue 09/15/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1456 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\User\LOCALS~1\Temp\login.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\DOCUME~1\User\LOCALS~1\Temp\notepad.exe
C:\DOCUME~1\User\LOCALS~1\Temp\setup.exe
C:\DOCUME~1\User\LOCALS~1\Temp\system.exe
C:\DOCUME~1\User\LOCALS~1\Temp\win.exe
C:\DOCUME~1\User\LOCALS~1\Temp\install.exe
C:\WINDOWS\TEMP\b.exe
C:\WINDOWS\TEMP\c.exe
C:\WINDOWS\system32\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\ktwoum.exe
C:\WINDOWS\TEMP\debug.exe
C:\WINDOWS\TEMP\notepad.exe
C:\WINDOWS\TEMP\install.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Windows System Recover!] c:\docume~1\user\locals~1\temp\install.exe
mRun: [VTPreset] VTPreset.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PCTVOICE] pctspk.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [net] "c:\windows\system32\net.net"
dRun: [PopRock] c:\windows\temp\b.exe
dRun: [Login Software 2009] c:\windows\temp\ktwoum.exe
dRun: [Windows System Recover!] c:\windows\temp\lsass.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09FE188B-6E85-479e-9411-51FB2220DF80} - {45AD732C-2CE2-4666-B366-B2214AD57A49} - c:\program files\desktop sidebar\sbhelp.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219213431343
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\7c1eqy8y.default\
FF - prefs.js: browser.startup.homepage - nbc.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2008-4-7 140416]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2006-6-15 44288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-13 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-13 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-14 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\naveng.sys [2009-7-10 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\navex15.sys [2009-7-10 876144]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2006-6-15 61952]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2006-6-15 130560]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

=============== Created Last 30 ================

2009-09-15 08:02 15,000 a------- c:\windows\system32\ygsuhdf83id.dll
2009-09-14 17:59 219 a------- c:\windows\system32\MRT.INI
2009-09-14 17:15 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-03 06:08 20,992 a------- c:\windows\system32\winhelper.dll
2009-09-03 06:08 43,520 a------- c:\windows\system32\drivers\smss.exe
2009-09-03 06:08 53,248 a------- c:\windows\system32\winupdate.exe
2009-09-03 06:08 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-08-21 15:20 9 a------- c:\windows\system32\bennuar.old
2009-08-19 10:18 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-19 03:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-19 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-19 03:05 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-19 03:05 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-19 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-19 03:05 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-19 03:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-19 03:05 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-19 03:05 <DIR> --d----- C:\ff4678c365d3c802357921ccc056ed30

==================== Find3M ====================

2009-09-01 13:21 42,496 a------- c:\windows\system32\sys.dat
2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-10 12:39 11,264 a------- c:\windows\braviax.exe
2009-08-10 10:50 1,536 a------- c:\windows\system32\TrueSoft.dat
2009-08-10 05:45 191,179 a------- c:\windows\system32\wisdstr.exe
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 11:32 176,128 a------- c:\windows\svchast.exe
2009-07-18 09:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 09:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 17:37 212,996 a------- c:\windows\system32\msxml71.dll
2009-07-13 17:37 127,488 a------- c:\windows\msa.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 06:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 09:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 09:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 09:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 09:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
1998-12-08 22:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 22:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 22:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 22:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 22:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 22:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 851.31 ===============

Attached Files

Attach.zip (4.6 KB, 2 views)

Ried

Hello Print Guy 52, you are still heavily infected. Hopefully you've used another known clean computer to change all your passwords and login to any financial institutions as outline in our pre-posting topic.

If not, please do so now because one or more of the identified infections is a backdoor trojan/rootkit. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

=====================================


It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================


Download ComboFix from one of these locations, but rename it to printguy.exe before saving it to your desktop:

Link 1
Link 2

* IMPORTANT - Save the renamed ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on the renamed combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Print Guy 52

As you requested. Thanks for the help in this situation.


ComboFix 09-09-14.02 - User 09/16/2009 7:49.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1630 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\Printguy.exe.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User\LOCALS~1\Temp\csrss.exe
c:\docume~1\User\LOCALS~1\Temp\lsass.exe
c:\docume~1\User\LOCALS~1\Temp\services.exe
c:\docume~1\User\LOCALS~1\Temp\svchost.exe
c:\docume~1\User\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\User\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\User\Application Data\wiaservg.log
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\windows\braviax.exe
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\run.log
c:\windows\svchast.exe
c:\windows\system32\bennuar.old
c:\windows\system32\drivers\hjgruixtwmqcph.sys
c:\windows\system32\drivers\smss.exe
c:\windows\system32\hjgruiavipfjti.dat
c:\windows\system32\hjgruiiujelabe.dat
c:\windows\system32\hjgruiopglskfm.dll
c:\windows\system32\hjgruiwdutrwdg.dll
c:\windows\system32\hjgruixnlyexus.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\onhelp.htm
c:\windows\system32\sdra64.exe
c:\windows\system32\sys.bat
c:\windows\system32\sys.dat
c:\windows\system32\sysnet.dat
c:\windows\system32\taJF83ikdmf.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\system32\ygsuhdf83id.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruipjigircb
-------\Legacy_hjgruipjigircb


((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-15 00:15 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-03 14:29 . 2009-09-03 14:29 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-08-19 10:06 . 2009-08-19 10:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-19 10:06 . 2009-08-19 10:06 -------- d-----w- c:\program files\MSBuild
2009-08-19 10:05 . 2009-08-19 10:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-19 10:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-19 10:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-19 10:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-19 10:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-19 10:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-19 10:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-19 10:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-19 10:05 . 2009-08-19 10:05 -------- d-----w- C:\ff4678c365d3c802357921ccc056ed30

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 14:10 . 2008-11-18 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-15 15:13 . 2007-12-02 11:30 1536 ----a-w- c:\windows\system32\TrueSoft.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 14:15 . 2007-12-02 07:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 13:48 . 2009-08-03 13:48 71 ----a-w- c:\windows\system32\cmpwrap.dat
2009-07-22 01:50 . 2007-12-03 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2007-01-15 02:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
1998-12-09 05:53 . 1998-12-09 05:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 05:53 . 1998-12-09 05:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 05:53 . 1998-12-09 05:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 05:53 . 1998-12-09 05:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 05:53 . 1998-12-09 05:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 05:53 . 1998-12-09 05:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-23 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"VTPreset"="VTPreset.exe" - c:\windows\system32\VTPreset.exe [2004-02-25 45056]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-10-30 180224]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2006-6-15 220672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-18 16:20 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [4/7/2008 9:34 AM 140416]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [6/15/2006 12:07 AM 44288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/13/2008 12:43 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/13/2008 12:43 PM 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2009 6:16 PM 102448]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [6/15/2006 12:07 AM 61952]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [6/15/2006 12:07 AM 130560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/13/2008 12:44 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-18 06:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\7c1eqy8y.default\
FF - prefs.js: browser.startup.homepage - nbc.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-net - c:\windows\system32\net.net
SharedTaskScheduler-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 07:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-09-16 7:59
ComboFix-quarantined-files.txt 2009-09-16 14:59

Pre-Run: 26,915,409,920 bytes free
Post-Run: 26,998,542,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
261 --- E O F --- 2009-09-15 00:59

Ried

Much better.

What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Print Guy 52

Here's the scan report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 17, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 17, 2009 15:09:36
Records in database: 2841042
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
G:\

Scan statistics:
Objects scanned: 65466
Threats found: 21
Infected objects found: 79
Suspicious objects found: 0
Scan duration: 02:10:26


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02CC0000\4AFDCC1A.VBN Infected: Trojan.Win32.Genome.hew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03440000.VBN Infected: Trojan-Downloader.Win32.Agent.abxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03440001.VBN Infected: Trojan-Downloader.Win32.Agent.abxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03440002.VBN Infected: Trojan-Downloader.Win32.Agent.abxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03440003.VBN Infected: Trojan-Downloader.Win32.Agent.abxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03440004.VBN Infected: Trojan.Win32.Agent.aaju 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03440005.VBN Infected: Trojan.Win32.Agent.aaju 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80000.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80001\4BFCD7EC.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80002\4BFCD800.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80003\4BFCE7F8.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80004\4BFCE82F.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80005\4BFCE85B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80006\4BFCE88B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80007\4BFCE8C3.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80008\4BFCE8EC.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80009\4BFCE917.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8000A\4BFCE962.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8000B\4BFCE9A9.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8000C\4BFCE9D3.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8000D\4BFCE9EF.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8000E\4BFCEA0A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8000F\4BFCEA24.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80010\4BFCEA47.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80011\4BFCEA5D.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80012\4BFCEA84.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80013\4BFCEE2F.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80014\4BFCEE99.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80015\4BFCEEC8.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80016\4BFCEEE6.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80017\4BFCEF16.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80018\4BFCEF4F.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80019\4BFCEF76.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8001A\4BFCEFAA.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8001B\4BFCF002.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8001C\4BFCF01D.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8001D\4BFCF031.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8001E\4BFCF044.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8001F\4BFCF058.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80020\4BFCFBCD.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80021\4BFD09DB.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80022\4BFD17EB.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80023\4BFD25FB.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80024\4BFD340B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80025\4BFD4218.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80026\4BFD502B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80027\4BFD5E3B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80028\4BFD6C4B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E80029\4BFD7A58.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8002A\4BFD886B.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03E8002B\4BFD9678.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN Infected: Trojan-Downloader.Win32.Small.abns 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN Infected: Trojan-Downloader.Win32.Small.abns 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C40002.VBN Infected: Trojan-Downloader.Win32.Small.abns 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C40003.VBN Infected: Trojan-Downloader.Win32.Small.abns 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D80000\49FDDBE9.VBN Infected: Trojan.Win32.Genome.hew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C100000\4CB4B0D8.VBN Infected: Trojan-Downloader.Win32.Small.abns 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C100001\4CB55EEE.VBN Infected: Trojan-Downloader.Win32.Small.abns 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB00002\4CBD0918.VBN Infected: Trojan-Downloader.Win32.Agent.abxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB00003\4CBD092D.VBN Infected: Trojan.Win32.Agent.aaju 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB00004\4CBD0952.VBN Infected: Trojan.Win32.Agent.aaju 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80442\4DFC50D3.VBN Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.iv 1
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir Infected: Packed.Win32.Krap.t 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Trojan.Win32.FraudPack.pmn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruixtwmqcph.sys.vir Infected: Trojan.Win32.TDSS.amep 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiopglskfm.dll.vir Infected: Trojan.Win32.Tdss.anex 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiwdutrwdg.dll.vir Infected: Trojan.Win32.Agent.crez 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruixnlyexus.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Infected: Trojan.Win32.FraudPack.psl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Infected: Trojan-Clicker.Win32.VBiframe.rt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sys.dat.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.wpr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir Infected: not-a-virus:FraudTool.Win32.AdvancedAntivirus.ip 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fkg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fem 1
C:\WINDOWS\system32\mzapnzjnedd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.wog 1
C:\WINDOWS\system32\windowsa1.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.wpa 1
C:\WINDOWS\system32\windowsf4.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.wpo 1
C:\WINDOWS\system32\windowsx1.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.wpr 1

Selected area has been scanned.

Ried

Using 'My Computer', navigate to and delete the following Files (right click and select delete):

C:\WINDOWS\system32\mzapnzjnedd.dll
C:\WINDOWS\system32\windowsa1.dll
C:\WINDOWS\system32\windowsf4.dll
C:\WINDOWS\system32\windowsx1.dll

=====================================

The remainder of Kaspersky's findings are backups created during the course of this fix. We'll clear those out now if there aren't any more problems.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.

Print Guy 52

Thank you very much, I can get into the task manager now so that's a good thing. I'll let you know if anything else seems out of the ordinary.

Ried

Okay.