4 replies to this topic

[sah462]

heres my panda and HJT logs, cant get MBAM to install due to the vbalsgrid6.ocx issue, and i cant fix that due to AV 09 hijacking my admin abilities etc...

Panda
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2009-01-06 17:46:04
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec Antivirus Corporate Edition 10.1 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\removerp
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_classes_root\clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\rdfa
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch
04508623 Adware/Lop Adware Yes 1 Yes No C:\WINDOWS\system32\pmnmmNeb.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location (
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description (
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:19 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://82.98.235.133/go//?cmp=vm_finance_c...1176&m=irq4
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Intelinet] C:\Program Files\Intelinet\Intelinet.exe
O4 - HKUS\S-1-5-18\..\Run: [sdkupdate22] SDK0mCORE.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [sdkupdate22] SDK0mCORE.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [sdkupdate22] SDK0mCORE.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [sdkupdate22] SDK0mCORE.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\tkeat1~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\tkeat1~1\locals~1\temp\ntdll64.dll
O15 - ProtocolDefaults: 'file' protocol is in Intranet Zone, should be Internet Zone (HKLM)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: wsp - {D230931C-917D-4DC5-A2A0-AA49451D1545} - (no file)
O18 - Protocol: wsps - {D230931C-917D-4DC5-A2A0-AA49451D1545} - (no file)
O18 - Filter: application/vnd.wap.wmlc - {E3FEAC31-D8DC-4BCA-90A9-996156C71F8B} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7966 bytes


help plz

[sjb007]

Howdy there sah462

Please note - During this fix we will be entering into safe mode. Please print out these instructions as your internet connection will not be available to you during this period. You may also copy and paste the fix into a text file and save it in an easy accessable location for reference.

Download SDFix by AndyManchesta and save it to your desktop.
alternate download.

Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix)

Reboot your computer in SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Open the SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt in your next reply.


Once Complete

Download and scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Next..............

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

Post back in your next post with:

SDFix Log
Combofix Log
Add-Remove programs list

[sah462]

SDFix Log


SDFix: Version 1.240
Run by TKEat1692 on Tue 01/06/2009 at 10:00 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\pmnmmNeb.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 22:28:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\TKEat1692\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"="C:\\Program Files\\myTunes Redux\\mDNSResponder.exe:*:Enabled:mDNSResponder"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"C:\\Program Files\\Sony Pictures Games\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\Sony Pictures Games\\Wheel of Fortune\\Wheel of Fortune.exe:*:Enabled:Wheel of Fortune"
"C:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe"="C:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe:*:Enabled:Collapse! Crunch"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\CrackApp\\CrackApp.exe"="C:\\Program Files\\CrackApp\\CrackApp.exe:*:Enabled:CrackApp , All multimedia in one box"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"="C:\\Program Files\\AIM\\AIM95_c0\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\123Movies2IPOD\\123Movies2IPOD.exe"="C:\\Program Files\\123Movies2IPOD\\123Movies2IPOD.exe:*:Enabled:123 Movies2iPod Pro"
"C:\\Program Files\\AIM\\AIM95_c1\\aim.exe"="C:\\Program Files\\AIM\\AIM95_c1\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM\\AIM95_c2\\aim.exe"="C:\\Program Files\\AIM\\AIM95_c2\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM\\AIM95_c3\\aim.exe"="C:\\Program Files\\AIM\\AIM95_c3\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"="C:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe:*:Enabled:Sprite PC Service"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 21 Oct 2008 23,552 ...H. --- "C:\Documents and Settings\Scott\Desktop\School Fall 08\~WRL2802.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 18 Jan 2006 4,348 ...H. --- "C:\Documents and Settings\Scott\My Documents\My Music\License Backup\drmv1key.bak"
Wed 19 Apr 2006 20 A..H. --- "C:\Documents and Settings\Scott\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 18 Apr 2006 488 A.SH. --- "C:\Documents and Settings\Scott\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

ComboFix Log

ComboFix 09-01-05.05 - TKEat1692 2009-01-06 22:46:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.277 [GMT -5:00]
Running from: c:\documents and settings\TKEat1692\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TKEat1692\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ahtn.htm
c:\windows\system32\caxpxamx.dll
c:\windows\system32\cbnthrbt.dll
c:\windows\system32\diydpnyw.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekapcxtkisc.sys
c:\windows\system32\FgjjQqss.ini
c:\windows\system32\FgjjQqss.ini2
c:\windows\system32\FLRXGMoq.ini
c:\windows\system32\hgGabaYs.dll
c:\windows\system32\jkkKcBuT.dll
c:\windows\system32\LklSYJlm.ini
c:\windows\system32\LklSYJlm.ini2
c:\windows\system32\mcrh.tmp
c:\windows\system32\Memman.vxd
c:\windows\system32\mfruobjh.dll
c:\windows\system32\mlJYSlkL.dll
c:\windows\system32\mryhyl.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\oydincnh.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\qyynbkiy.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekabqrvpiql.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaewbekxiq.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekalovbrpnu.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\ssqQjjgF.dll
c:\windows\system32\sYabaGgh.ini
c:\windows\system32\sYabaGgh.ini2
c:\windows\system32\ttigpf.dll
c:\windows\system32\TuBcKkkj.ini
c:\windows\system32\TuBcKkkj.ini2
c:\windows\system32\uaacwula.dll
c:\windows\system32\utbyss.dll
c:\windows\system32\warning.gif
c:\windows\system32\widmypoq.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wxeqhv.dll
c:\windows\system32\xmaxpxac.ini
c:\windows\system32\yikbnyyq.ini

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-06 21:58 . 2009-01-06 21:58 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-06 21:49 . 2009-01-06 21:50 <DIR> d-------- c:\windows\ERUNT
2009-01-06 21:45 . 2009-01-06 22:28 <DIR> d-------- C:\SDFix
2009-01-06 21:27 . 2009-01-06 21:27 <DIR> d-------- c:\documents and settings\TKEat1692\Application Data\Malwarebytes
2009-01-06 21:20 . 2009-01-06 21:20 <DIR> d-------- c:\program files\Windows Resource Kits
2009-01-06 19:11 . 2009-01-06 19:11 45,568 --a------ c:\windows\system32\byXPghGv.dll
2009-01-06 17:57 . 2009-01-06 17:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 17:38 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-06 17:37 . 2009-01-06 17:37 <DIR> d-------- c:\program files\Panda Security
2009-01-06 17:32 . 2009-01-06 17:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 17:32 . 2009-01-06 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 16:43 . 2009-01-06 16:43 <DIR> d-------- c:\documents and settings\TKEat1692\DoctorWeb
2009-01-06 16:37 . 2009-01-06 21:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 16:37 . 2009-01-06 16:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 16:37 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 16:37 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 16:12 . 2009-01-06 16:12 45,568 --a------ c:\windows\system32\jkkLFvTn.dll
2009-01-06 16:10 . 2008-07-14 16:37 <DIR> d-------- c:\documents and settings\TKEat1692\Application Data\Apple Computer
2009-01-06 16:10 . 2009-01-06 16:43 <DIR> d-------- c:\documents and settings\TKEat1692
2009-01-06 15:57 . 2009-01-06 15:57 <DIR> d-------- c:\program files\CCleaner
2009-01-06 06:13 . 2009-01-06 06:13 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-06 06:08 . 2009-01-06 06:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-06 05:41 . 2009-01-06 05:41 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-01-06 04:34 . 2009-01-06 15:40 <DIR> d-------- c:\program files\Intelinet
2009-01-06 02:14 . 2009-01-06 02:14 24,576 --a------ c:\windows\system32\pcload.exe
2009-01-01 19:29 . 2009-01-01 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-01 17:35 . 2009-01-01 17:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-01-01 17:34 . 2009-01-06 05:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-01 17:34 . 2008-07-14 16:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-01 17:34 . 2009-01-06 16:00 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 17:23 . 2009-01-01 17:23 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM0NzM5MjN8_
2009-01-01 17:23 . 2009-01-01 17:23 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
2009-01-01 16:57 . 2009-01-01 16:57 <DIR> d-------- c:\documents and settings\Scott\Application Data\VirusRemover2008
2008-12-13 02:36 . 2008-12-13 02:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Digsby
2008-12-07 23:56 . 2008-12-07 23:56 <DIR> d-------- c:\program files\iPod
2008-12-07 23:55 . 2008-12-07 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 01:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-02 01:58 --------- d-----w c:\program files\iTunes
2009-01-02 01:57 --------- d-----w c:\program files\Ganymede
2009-01-02 01:54 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-02 01:54 --------- d-----w c:\program files\AviSynth 2.5
2009-01-02 00:31 --------- d-----w c:\program files\Lavasoft
2009-01-02 00:31 --------- d-----w c:\documents and settings\Scott\Application Data\Lavasoft
2009-01-01 21:32 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-01 11:21 --------- d-----w c:\program files\Digsby
2008-12-13 07:36 --------- d-----w c:\documents and settings\Scott\Application Data\Digsby
2008-12-08 04:56 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 04:51 --------- d-----w c:\program files\QuickTime
2008-11-12 12:00 --------- d-----w c:\program files\MSXML 4.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Spb Backup Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Spb Backup Sync.lnk
backup=c:\windows\pss\Spb Backup Sync.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 00:01 135264 c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-05-18 04:22 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\123Movies2IPOD\\123Movies2IPOD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-06 28544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-10 99376]
S3 IntelinetSecure;IntelinetSecure;c:\program files\Intelinet\intelin2.exe --> c:\program files\Intelinet\intelin2.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-06 38496]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-03-08 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\nqoeuvjd.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0A8E584E-DE35-4C84-801A-3D190E2C148C} - c:\windows\system32\mlJYSlkL.dll
BHO-{619FB94D-E180-4336-8E44-C094EBE331EC} - c:\windows\system32\hgGabaYs.dll
BHO-{77AB5974-55A3-4737-9FD5-B93C64307F78} - c:\windows\system32\diydpnyw.dll
BHO-{E11FFDDB-8911-4BA9-963C-67E6C56136B6} - c:\windows\system32\jkkKcBuT.dll
HKU-Default-Run-msiexec.exe - msiconf.exe
HKU-Default-RunOnce-sdkupdate22 - SDK0mCORE.exe
MSConfigStartUp-641df90c - c:\windows\system32\caxpxamx.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://83.149.115.159/go//?cmp=vm_finance_cj_onlinecash911_h&nid=&uid=2B00A496D85511DD9A76166350CFFFFF&guid=6E87A28BFFE849B5B41668086AADAF3D&affid=166350&lid=winlogon.exe&rid=zdez&v=1176&m=irq4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\docume~1\TKEAT1~1\LOCALS~1\Temp\ntdll64.dll
FF - ProfilePath - c:\documents and settings\TKEat1692\Application Data\Mozilla\Firefox\Profiles\qhbxtfts.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 22:53:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2009-01-06 22:56:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 03:56:08

Pre-Run: 569,147,392 bytes free
Post-Run: 3,382,054,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

232 --- E O F --- 2009-01-01 12:03:04

add-remove program list

123Movies2IPOD
Ad-Aware
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
AutoUpdate
BCM V.92 56K Modem
Blaze Media Pro
CCleaner (remove only)
DivX
DivX Player
DivX Web Player
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel® PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 7
K-Lite Codec Pack 4.1.7 (Standard)
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft ActiveSync
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft Reader
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Motorola Driver Installation
Movie Converter V3 (remove only)
Mozilla Firefox (3.0.5)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
OpenOffice.org Installer 1.0
Panda ActiveScan 2.0
PowerDVD
QuickTime
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Spb Backup
Spb Backup 2.0
Sprite Backup
Spybot - Search & Destroy
Switch Uninstall
Symantec AntiVirus
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VideoLAN VLC media player 0.8.4a
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebFldrs XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinRAR archiver

[sjb007]

Howdy there sah462

Well that cleared out a whole of crap! Still some work to do yet, couple of files leftover to sort.

Please go to: VirusTotal

• In the middle of the page you'll find a "Browse" button.
  
  
  
  Click the "Browse" button and browse to this file in RED:
  
  c:\windows\system32\pcload.exe
  
  
• Click "Open".
  
• Then click the "Send File" button at the bottom of the VirusTotal page.
  
• This will scan the file. Please be patient.
  
• If you get a message saying File has already been analysed: click Reanalyse file now
  
• Once scanned, copy and paste the results in your next reply.

==========================

Once done....

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote

File::
c:\windows\Tasks\nqoeuvjd.job
c:\windows\system32\byXPghGv.dll
c:\windows\system32\jkkLFvTn.dll

Folder::
c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM0NzM5MjN8_
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
c:\documents and settings\Scott\Application Data\VirusRemover2008

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log. Post this log back in your next reply

==========================

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==========================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with:

Results from VirusTotal
The log from combofix
The log from Kaspersky

[AdvancedSetup]

Please post a status update on this or we'll need to close the post.