Your infected again.
combofix log please.
Dedicated Member
Your infected again.
combofix log please.
Junior Member
After I did system restore, I ran the OTMoveIt and then rebooted. No problem. I then ran the F-Secure and then tried to reboot. Took at least an hour to start up. Task manager indicated Winlogon.exe at 98-100% CPU. I made a report before I did system restore:
Scanning Report
Monday, November 05, 2007 17:59:55 - 20:18:45
Computer name: FAMILY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
--------------------------------------------------------------------------------
Result: 19 malware found
SpamTool.Win32.Agent.bk (virus)
C:\WINDOWS\SYSTEM32\APPCERT\PRX66B.DLL (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
Trojan-Clicker.Win32.Agent.mk (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP29\A0006831.DLL (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\ILSK(2).DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.dng (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP29\A0006832.DLL (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\APPCERT\WNL32.DLL (Renamed & Submitted)
Trojan.Win32.Obfuscated.iz (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP29\A0006830.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\ICF.EXE (Renamed & Submitted)
W32/Adload.gen3 (virus)
C:\GETTER.EXE (Submitted)
W32/BHO.QG (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP29\A0006782.EXE (Submitted)
C:\WINDOWS\SYSTEM32\P1H87D1FDMKC.EXE (Submitted)
W32/DLoader.ANVE (virus)
C:\PROGRAM FILES\ALTPAYMENTS\ALTPAYMENTS.EXE (Submitted)
W32/Zapchast.AQK (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005506.EXE (Submitted)
W32/Zapchast.AQT (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005502.EXE (Submitted)
W32/Zapchast.ARC (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005501.EXE (Submitted)
W32/Zapchast.ARD (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005499.EXE (Submitted)
W32/Zapchast.ARF (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005500.EXE (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 30160
System: 4622
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 6
Deleted: 0
None: 12
Submitted: 16
Files not scanned:
C:\PAGEFILE.SYS
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-11-05
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0596-150-72
F-Secure Libra: 2.4.2, 2007-11-04
F-Secure Orion: 1.2.37, 2007-11-05
F-Secure Pegasus: 1.19.0, 2007-10-04
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F
So apparantly the AVG wasn't the problem and I can redownload it and run it in safe mode, unless you think it's a lost cause and I'm wasting my time. Let me know. Thanks for your time...
Dedicated Member
run the combofix again.
Download SDFIX and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract All,
- Open the extracted folder and double click RunThis.bat to start the script.
- Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool will be running and removing files.
- When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Junior Member
new log:
ComboFix 07-11-01.1 - Windows User 2007-11-06 20:07:03.2 - FAT32x86
Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\drivers\snkwevbj.dat . . . . failed to delete
C:\WINDOWS\system32\ilsk.dll . . . . failed to delete
C:\WINDOWS\system32\ilsk.dll.bak . . . . failed to delete
C:\WINDOWS\system32\msrepl40p.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_FCQWHXIK
-------\LEGACY_FOPN
-------\LEGACY_ICF
-------\LEGACY_NOITTUKV
-------\LEGACY_RUNTIME
-------\fcqwhxik
-------\noittukv
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.
2007-11-04 22:29 <DIR> d-------- C:\VundoFix Backups
2007-11-03 16:26 120,064 --a------ C:\WINDOWS\SYSTEM32\fkyedvcq.dat
2007-11-03 16:26 41,728 --a------ C:\WINDOWS\SYSTEM32\gegwioew.dat
2007-11-03 16:26 36,096 --a------ C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
2007-11-02 09:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 00:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 09:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz17r
2007-10-30 09:23 <DIR> d-------- C:\Temp\mZOr
2007-10-27 10:36 <DIR> d-------- C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
2007-10-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-24 17:58 <DIR> dr-h----- C:\$VAULT$.AVG
2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\AVG7
2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-24 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 18:45 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-10-19 18:45 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-10-19 18:29 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\BitTorrent
2007-10-19 00:48 <DIR> d-------- C:\Program Files\Photodex Presenter
2007-10-15 23:38 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-10-15 23:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-10-15 23:33 82,432 --a------ C:\WINDOWS\SYSTEM32\ilsk.dll
2007-10-15 23:33 81,920 --a------ C:\WINDOWS\SYSTEM32\ILSK(2).DLL
2007-10-15 23:33 18,688 C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
2007-10-15 23:33 16,896 --a------ C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
2007-10-15 23:32 119,552 --a------ C:\WINDOWS\SYSTEM32\msrepl40p.dll
2007-10-15 23:32 107,893 --a------ C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
2007-10-09 00:00 49,664 --a------ C:\WINDOWS\SYSTEM32\ICF.EXE
2007-10-08 09:53 <DIR> d--hs---- C:\FOUND.064
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-24 05:39 --------- d-----w C:\Documents and Settings\Home\Application Data\acccore
2007-09-18 02:31 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Netscape
2007-09-11 21:00 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Apple
2007-09-02 23:05 32,392 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT
2003-11-29 20:37 271 --sh--w C:\Program Files\desktop.ini
2003-11-29 20:37 23,357 ---h--w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2007-11-02_ 9.47.28.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 21:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\daas_s.dll
+ 2007-05-07 21:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fsauc.dll
+ 2007-05-07 21:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fscax.dll
+ 2007-05-07 21:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 21:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 21:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-11-05 03:37:52 118,784 ----a-w C:\WINDOWS\SYSTEM32\AppCert\prx93b.dll
- 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
+ 2007-11-07 01:14:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
- 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-07 01:14:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-07 01:14:14 49,152 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-02 14:37:52 385,024 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t
+ 2007-11-07 01:06:52 385,024 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t
- 2007-11-02 00:16:34 3,496,344 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2007-11-06 03:26:42 17,592 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB0138-A7B2-4B4B-B690-085B77BED5AA}]
C:\WINDOWS\System32\tustq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
2003-07-16 20:36 119552 --a------ C:\WINDOWS\System32\msrepl40p.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
2007-10-27 01:14 82432 --a------ c:\windows\system32\ilsk.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdl r.exe" [2003-08-08 18:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2003-08-27 11:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupda te.exe" [2003-08-21 18:10]
"HostManager"="C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe" [2007-04-12 17:23]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
ilsk.dll 2007-10-27 01:14 82432 C:\WINDOWS\SYSTEM32\ilsk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Notification Packages"= :\WINDOWS\System32\srrst
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^w32.exe]
path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\w32.exe
backup=C:\WINDOWS\pss\w32.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aDs8RWimT]
msrcsp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltPayments]
"C:\Program Files\AltPayments\AltPayments.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"C:\Program Files\AutoUpdate\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C5OT6]
C:\WINDOWS\renvsyu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
"C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eepaasj]
C:\WINDOWS\System32\kydvsz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\twinlmds.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\filit]
C:\foobar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fwzcpfbbvjix]
C:\WINDOWS\System32\kydvsz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
rundll32.exe EGDHTML_1030.dll,InstantAccess
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
C:\Program Files\ISTsvc\istsvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgn]
C:\WINDOWS\jgn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kydvsz]
c:\windows\system32\kydvsz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
"C:\Program Files\p2pnetworks\mpp2pl.exe" /H
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update 64 BIT]
wininit32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\200543017055_mc info.exe /insfin
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mslagent]
C:\WINDOWS\mslagent\mslagent_.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxswkabdbc]
C:\WINDOWS\System32\kydvsz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDrv]
C:\WINDOWS\System32\NDrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p1h87d1fdmkc]
C:\WINDOWS\system32\p1h87d1fdmkc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rm3U36O]
msu2disp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
snd332.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
c:\program files\180solutions\sais.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
C:\WINDOWS\System32\Ooaqaq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snd332]
C:\WINDOWS\snd332.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service76]
C:\WINDOWS\\\etb\\pokapoka76.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
C:\WINDOWS\sysupd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"c:\documents and settings\windows user\local settings\temp\fsg_tmp\ginst_001.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
"C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]
C:\WINDOWS\System32\Togkio.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWuRFDf]
C:\WINDOWS\spfkowpu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp"C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winad]
C:\WINDOWS\Web\Wallpaper\winad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client]
C:\Program Files\Winad Client\Winad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]
NETSTATT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run
R0 noittukv;noittukv;C:\WINDOWS\System32\drivers\snkw evbj.dat
R1 cdudf;cdudf;C:\WINDOWS\System32\drivers\cdudf.sys
R1 cmosa;cmosa;C:\WINDOWS\System32\drivers\cmosa.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\ oreans32.sys
R1 UdfReadr;UdfReadr;C:\WINDOWS\System32\drivers\UdfR eadr.sys
R2 fcqwhxik;Keyboard HID Support;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 HPFECP15;HPFECP15;C:\WINDOWS\System32\drivers\HPFE CP15.SYS
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiF iltr.sys
S4 InstallTest;InstallTest;"C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe" /test
S4 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
"C:\WINDOWS\System32\rundll32.exe" "C:\PROGRA~1\MESSEN~1\msgsc.dll",ShowIconsUser
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-07 00:43:34 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-11-07 01:15:36 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-Windows User).job"
"2007-11-07 01:09:42 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Windows User).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-11-06 07:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-11-02 19:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 01:17:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Home).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-11-07 01:09:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Michael).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
************************************************** ************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 20:16:04
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-11-06 20:17:35 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 16:25
C:\ComboFix3.txt ... 2007-11-02 09:48
.
--- E O F ---
I'm now going to try some of your other suggestions. I'll be back...
Dedicated Member
OK here is the deal, this is the most infected computer I've ever seen and may not be worth trying to fix it. I will try one more time and if that does not work you need to reformat and reinstall, sorry but like I said very infected.
Download SDFIX and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract All,
- Open the extracted folder and double click RunThis.bat to start the script.
- Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool will be running and removing files.
- When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.
1. Please download The Avenger by Swandog46 to your Desktop.
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
2. Copy all the text contained in the quote box below(not the word quote) to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\ilsk.dll
C:\WINDOWS\system32\ilsk.dll.bak
C:\WINDOWS\system32\msrepl40p.dll
C:\WINDOWS\SYSTEM32\ILSK(2).DLL
C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
C:\WINDOWS\SYSTEM32\msrepl40p.dll
C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
C:\WINDOWS\SYSTEM32\ICF.EXE
C:\FOUND.064
C:\WINDOWS\SYSTEM32\fkyedvcq.dat
C:\WINDOWS\SYSTEM32\gegwioew.dat
C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
Driver to unload:
C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.4. The Avenger will automatically do the following:
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Open notepad and copy/paste the text in the quotebox below into it:Not the word quote
Folder::
C:\WINDOWS\SYSTEM32\Mz17r
C:\Temp\mZOr
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\Internet Optimizer
C:\Program Files\ISTsvc
C:\Program Files\Outerinfo
c:\program files\180solutions
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\PROGRA~1\Toolbar
C:\Program Files\Viewpoint
C:\Program Files\WebSavingsfromEbates
C:\Program Files\Winad Client
C:\PROGRA~1\COMMON~1\WinTools
c:\program files\zango
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB0138-A7B2-4B4B-B690-085B77BED5AA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^Think-Adz.lnk]
path=-
backup=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^w32.exe]
path=-
backup=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aDs8RWimT]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltPayments]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C5OT6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eepaasj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fwzcpfbbvjix]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kydvsz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update 64 BIT]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxswkabdbc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDrv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p1h87d1fdmkc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rm3U36O]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snd332]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service76]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWuRFDf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winad]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
Save this as CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Junior Member
You were right. Computer was not fixable. I'm now writing from a Mac. My first. My 19 y/o talked me into getting one. If you don't have one, I'd highly recommend it. I wanted to get back to you because I really did appreciate your efforts. I'm now using the infected computer as a door stop. Thanks again...
Dedicated Member
good to know you now got something you can be proud of and work with.
