hey guys I am trying to fix my girlfriend's laptop for her but can't HJT to run. She has XP on her computer and is infected xp antispyware and advanced defender among others. I'm trying to keep her offline; going online is nearly impossible anyways, so am trying to move everything I need over on Flash drive. I can't run executable files or taskmanager, Safe Mode has worked every once-in-a-while, but to no avail lately (I just get a blue screen and it restarts). Any help would be appreciated I really need a jumping off point.

Download following three programs on good computer, move them to bad computer and run them in very same sequence...

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/LIST]

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Thanks for the help broni, when I try to run the fixes it seems like I have a very small window to do so. After the computer logs me in the desktop becomes blue. This happens after maybe a minute or less has passed, and once this happens I can still open files but they only flash up for a split second and then go away. I have gotten rkill to run up to the point where it says something like "terminating known malware processes". I can still navigate through my computer files just fine. Most visible spyware is gone once the desktop "resets" except for a little popup from advanced defender which warns me that whatever I am trying to run (rkill, exehelper, combofix, etc) is infected with a worm. Here is what my (probably incomplete) exehelperlog looked like.

exeHelper by Raktor
exeHelper by Raktor
Build 20091220
exeHelper by Raktor
Build 20091220
Run at 00:49:07 on 02/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process msa.exe
Checking for bad files...
Deleting file C:\WINDOWS\system32\41.exe
Error deleting C:\WINDOWS\system32\41.exe - Set for removal on reboot - PLEASE REBOOT
Deleting file C:\WINDOWS\msa.exe
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com

As for combofix I get the green bar to load up, but the next screen asking for confirmation only flickers up and disappears.

again, thank you for the help.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

Sorry for the delay Bruni but my girlfriend got impatient and took her laptop back. She started running all the programs willy nilly and somehow got it to a state of usability (hopefully it's not damaged further!) I got her to run hijack this and message me the log over facebook. (I think that's the reason for the the facebook redirects in all the links. Anti-spam measure?)

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:49:06 PM, on 2/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.Leaving Facebook... | Facebook)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx.exe
c:\program files\microsoft visual studio\bin\ir41_qcx .exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\microsoft visual studio\bin\ir41_qcx .exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\microsoft office\office12\groovemonitor .exe
c:\program files\java\jre1.6.0_02\bin\jusched .exe
c:\program files\lexmark 3100 series\lxbrbmgr .exe
c:\progra~1\lexmar~1\lxbrksk .exe
c:\program files\common files\pure networks shared\platform\nmctxth .exe
c:\program files\linksys\linksys wireless manager\linksyswirelessmanager .exe
c:\program files\lexmark 3100 series\lxbrbmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Flock\flock\flock.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Leaving Facebook... | Facebook
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Leaving Facebook... | Facebook
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Leaving Facebook... | Facebook
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Leaving Facebook... | Facebook
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Leaving Facebook... | Facebook
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8383
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {362d5e76-83be-42e5-9b93-17766c2e9749} - tokivafa.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [Ndaperutewotevig] rundll32.exe "C:\WINDOWS\urexafesujoxumu.dll",Startup
O4 - HKLM\..\Run: [yaruninupo] Rundll32.exe "tijayefe.dll",s
O4 - HKLM\..\Run: [bosinuvak] Rundll32.exe "c:\windows\system32\feyimupa.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [(ccEvtMgr) ] "C:\program files\microsoft visual studio\bin\ir41_qcx .exe" /set
O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc
O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
O4 - HKCU\..\Run: [adobeupdater ] c:\program files\common files\adobe\updater5\adobeupdater .exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.bu...security10.com
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.buy-is2010.com
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.is...e-download.com
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.is...download25.com
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.is...t-download.com
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.bu...security10.com (HKLM)
O15 - Trusted Zone: http://www.facebook.com/l/094dd;*.buy-is2010.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA541AA-13A9-447A-88A3-7AEFD8D20918}: NameServer = http://www.facebook.com/l/094dd;83.1....1,192.168.0.1 205.171.3.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{20E0C437-AF66-41D2-AE8E-D6341CA1BEF1}: NameServer = http://www.facebook.com/l/094dd;83.149.115.157,4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFDF50BE-5E36-4ACA-908E-0B3B8189F802}: NameServer = http://www.facebook.com/l/094dd;93.1...,93.188.166.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF5E8574-21B3-4F63-94E4-667C1C152AA4}: NameServer = http://www.facebook.com/l/094dd;83.1...,93.188.166.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = http://www.facebook.com/l/094dd;93.1...,93.188.166.93
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: mazakesom - {dc2ed2e4-96d3-4794-8f18-6cd55707722d} - c:\windows\system32\feyimupa.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: tokatiluy - {dc2ed2e4-96d3-4794-8f18-6cd55707722d} - c:\windows\system32\feyimupa.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11306 bytes

Print these instructions out.


***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scan.***

STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 3.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

malwarebytes will not run, even after a clean install. The error looks like this.

Unable to execute file
C:/documents...mbam.exe
createprocess failed; code 2
the system cannot find the file specified

it pops up a few times in the installation process

She also gets a rundll error (missing?) upon startup.

EDIT: I found a workaround for it and will post the information you needed as soon as I can.

Ok.

Malwarebytes' Anti-Malware 1.44
Database version: 3777
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/22/2010 4:57:08 PM
mbam-log-2010-02-22 (16-57-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 180801
Time elapsed: 1 hour(s), 30 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 25
Registry Values Infected: 24
Registry Data Items Infected: 14
Folders Infected: 0
Files Infected: 191

Memory Processes Infected:
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx.exe (Malware.Packer.Gen) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\tokivafa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sajijade.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\dlgfsvcr.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{362d5e76-83be-42e5-9b93-17766c2e9749} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{362d5e76-83be-42e5-9b93-17766c2e9749} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5303591c-b7ec-4404-bdd5-81f2bc4fc5dc} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{218cb45f-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{06f6ea9d-88b0-45a9-9f26-ce0898d9ea1c} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{218cb451-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{218cb453-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{218cb454-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{218cb455-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{218cb456-20b6-11d2-8e17-0000f803a446} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{28e28123-7dc5-45d3-860e-8ee1c3681bd5} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{35edd1cc-1a8c-11d2-b49d-00c04fb90376} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{35edd1cd-1a8c-11d2-b49d-00c04fb90376} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{659ecad8-a5c0-11d2-a440-00c04f795683} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{659ecad9-a5c0-11d2-a440-00c04f795683} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6fd143e6-20a5-11d2-91ad-0000f81fefc9} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{82e11592-20f5-11d2-91ad-0000f81fefc9} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{97c3808a-eca1-4ca6-8d09-122a3cc54b3b} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c9a6a6b6-9bc1-43a5-b06b-e58874eebc96} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cb643558-61cd-42b2-a9a5-496a7884ad61} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3a614dd-abe0-11d2-a441-00c04f795683} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ff55d627-cf5b-40de-850f-62d20bc241c8} (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\symantec event manager (ccevtmgr) (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bosinuvak (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{5303591c-b7ec-4404-bdd5-81f2bc4fc5dc} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\yilufonis (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\igfxtray (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\hotkeyscmds (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\prismsvr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\adobe reader speed launcher (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\adobeupdater (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\nmctxth (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\ssc_userprompt (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\nav cfgwiz (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\quicktime task (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\linksys wireless manager (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\msmsgs (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\groovemonitor (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\sunjavaupdatesched (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\lexmark 3100 series (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\yaruninupo (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\remote system protection (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dlgfsvcr.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\is10-soft-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\buy-Internetsecurity10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\buy-Internetsecurity10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{1aa541aa-13a9-447a-88a3-7aefd8d20918}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,192.168.0.1 205.171.3.25 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{20e0c437-af66-41d2-ae8e-d6341ca1bef1}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{afdf50be-5e36-4aca-908e-0b3b8189f802}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.119,93.188.166.93 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{cf5e8574-21b3-4f63-94e4-667c1c152aa4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.119,93.188.166.93 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{cf5e8574-21b3-4f63-94e4-667c1c152aa4}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,93.188.164.119,93.188.166.9 3 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tokivafa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bosesufe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\feyimupa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fokivilo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jukabama.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kidohili.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\misahavu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\numagitu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\royotago.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sajijade.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sebaruja.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sobipore.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\dlgfsvcr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\igfxtray.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hkcmd.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prismsvr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\SymNetDrv\sndmon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Lexmark 3100 Series\lxbrksk.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\cdgxgtxp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\clbwkit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\mpgmrc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\owhjo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\scoamk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\viqu.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\wgtqgxch.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\rundll32 .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\rundll32.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\av.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Adobe\acrotray .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Advanced Defender\advanceddefender .exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Advanced Defender\advanceddefender.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\js.mui.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\is2010 .exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\is2010.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\app_dll.dl l.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dewezuwa.d ll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\helper32.d ll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lkmj.bdo.v ir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\onyc.ffo.v ir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prismsvr .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\reyahezi.d ll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rvlh9ohz36 .dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32 .exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe .vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\t74lfhd9g. dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tijayefe.d ll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32 .exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wl hdble.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtp rocs\w32x86\00003021.tmp.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtp rocs\w32x86\00004713.tmp.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\rundll32.exe.delme301 (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\1536718.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\2907281.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\3249000.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Adobe\Updater5\adobeupdater .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Adobe\Updater5\adobeupdater.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Norton AntiVirus\cfgwiz.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Linksys\Linksys Wireless Manager\linksyswirelessmanager.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Messenger\msmsgs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Office\Office12\groovemonitor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Visual Studio\bin\ir41_qcx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000029.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000031.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000032.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000033.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000052.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000053.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000055.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000056.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000057.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000058.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000059.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000060.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000061.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000054.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000198.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000216.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000252.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001262.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000186.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000187.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000188.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000190.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000191.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000192.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000193.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000194.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000195.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000196.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000197.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000199.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000200.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000214.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000215.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000217.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000218.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000219.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000220.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000221.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000222.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000223.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000224.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000225.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000226.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000227.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000253.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000254.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000255.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000256.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000257.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000258.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000259.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000260.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000261.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000262.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000263.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000264.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0000265.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001259.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001260.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001261.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001263.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001264.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001265.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001266.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001267.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001268.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001269.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001270.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001271.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7D89CF6-77EC-4D0E-8E7E-9546B81AFDDD}\RP1\A0001272.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\app_dll.dll.2891375.old (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hkcmd .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ruvaluno.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igfxtray .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prismsvr .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe.vir (Malware.Mod) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ECUW01ZR\eH4d42d66dV0100f060006R fdf63ca4102T06c243ef203l0409Ke5e8cf9a30dP000101080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PD6385EF\eH4d42d66dV0100f060006R ef8058fc102T06c24572203l0409Kceb7c8c530dP000101080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\win14.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\win4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\winD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wmpscfgs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

GMER


GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-22 18:06:37
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwairfow.sys


---- System - GMER 1.0.15 ----

SSDT 827B0CA8 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF857487E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8574BFE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF70C3F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1584] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs reyahezi.dll c:\windows\system32\feyimupa.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP 31968 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP 31752 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP 18684 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP 31968 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG 33945 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF 25499 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP 32400 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP 33048 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF 24363 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP 32616 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF 20645 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP 31968 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF 28038 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF 24187 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP 32132 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF 24720 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP 32400 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF 34709 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF 2664 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02276_.WMF 12516 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF 96796 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF 1648 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02437_.WMF 1460 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02439_.WMF 1284 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02464_.WMF 6740 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF 1396 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF 6602 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF 24556 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF 32590 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02791_.WMF 17164 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF 23408 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF 19322 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02862_.WMF 75310 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF 38522 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF 8948 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID 4219 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID 6700 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF 3030 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF 2582 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID 14044 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID 8501 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00110_.WMF 1264 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF 6212 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF 2076 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00170_.WMF 5138 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF 1292 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF 1912 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00788_.WMF 8340 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF 12252 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF 10084 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00364_.WMF 6472 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF 20970 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF 13064 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF 10228 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF 2940 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF 2088 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00416_.WMF 28750 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF 5180 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF 5444 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF 2168 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF 23020 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF 2924 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF 2760 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00476_.WMF 4032 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF 23304 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00483_.WMF 11192 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF 7768 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF 2724 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF 5924 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF 9730 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF 25184 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF 40064 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00629_.WMF 4070 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF 20486 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF 6842 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF 1412 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF 4660 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF 9052 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00178_.WMF 8514 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF 27840 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF 31818 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF 2272 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF 8276 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF 6144 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID 13358 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID 4961 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF 740 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF 363 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF 359 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF 410 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF 333 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF 386 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF 344 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF 431 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF 467 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF 341 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF 462 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF 4087 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF 427 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF 597 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF 679 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF 685 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG 30895 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG 29776 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG 41795 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG 42053 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG 11170 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG 12831 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG 48558 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF 3830 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF 31404 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF 982 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF 3594 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF 1910 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF 2834 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF 1772 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF 3350 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\ROAD_01.MID 5983 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SAFRI_01.MID 10122 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID 5058 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID 6392 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF 10762 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00260_.WMF 31908 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF 3932 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF 7596 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00298_.WMF 4712 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF 8416 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF 2788 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00452_.WMF 1344 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF 7608 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF 3292 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01041_.WMF 1548 bytes
File C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01394_.WMF 6916 bytes

---- EOF - GMER 1.0.15 ----



HJT


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:25:12 PM, on 2/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\program files\microsoft visual studio\bin\ir41_qcx .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Gateway Official Site: Notebooks, Laptops, Desktops, All-in-Ones, Displays, Monitors, Accessories
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Security | Computer Security | Malicious Software
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8383
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Ndaperutewotevig] rundll32.exe "C:\WINDOWS\urexafesujoxumu.dll",Startup
O4 - HKCU\..\Run: [(ccEvtMgr) ] "C:\program files\microsoft visual studio\bin\ir41_qcx .exe" /set
O4 - HKCU\..\Run: [adobeupdater ] C:\program files\common files\adobe\updater5\adobeupdater .exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\rvlh9ohz36.dll, HUI_proc (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.119,93.188.166.93
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7502 bytes

Thanks in advance, I know it's a lot to look through!

Delete any Combofix file, if you have it on your computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!