Malware keeps coming back, please help

bigwilltillidie · January 5, 2010

I've got this bug on my system that Malwarebytes can't completely remove. Malwarebytes removes it temporarily but it reinstalls itself after I restart a couple times. It hijacks my desktop background. I've noticed my browser keeps getting randomly redirected to odd sites, and I'm am also unable to run windows update. I'm pretty sure the malware is called "winupdate86". Please help!

Here are my logs:

Malwarebytes' Anti-Malware 1.43

Database version: 3494

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/4/2010 7:53:46 PM

mbam-log-2010-01-04 (19-53-46).txt

Scan type: Full Scan (C:\|)

Objects scanned: 427048

Time elapsed: 1 hour(s), 47 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

C:\WINDOWS\Temp\F0.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 8:45:49 PM, on 1/4/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HIJACKTHIS\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {ebba2a2f-7b79-462a-a550-e500fe0dd556} - (no file)

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com

O15 - Trusted Zone: www.christinamilian.com

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O21 - SSODL: rewopawiy - {39481500-99ba-4a62-8828-4a45907a78eb} - (no file)

O21 - SSODL: vimawemot - {df2c8e1e-37fe-49a3-96c4-ba06a193b9c7} - c:\windows\system32\gaduvoma.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: mujuzedij - {39481500-99ba-4a62-8828-4a45907a78eb} - (no file)

O22 - SharedTaskScheduler: gahurihor - {df2c8e1e-37fe-49a3-96c4-ba06a193b9c7} - c:\windows\system32\gaduvoma.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe (file missing)

--

End of file - 9628 bytes

Kenny94 · January 5, 2010

Hi bigwilltillidie and Welcome to Malwarebytes!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select Safe Mode.

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

bigwilltillidie · January 5, 2010

Here are the Combo-fix and new hijack this logs. I have a feeling something is still on the system because I was redirected to a false malwarebytes website from yahoo.

Combo_Fix_log.txt

hijackthis_log.txt

Kenny94 · January 5, 2010

Hi bigwilltillidie,

Give me a few days, been busy today. And I'll look at your logs and we'll go from ther. By the way, I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

And remove Ask Toolbar from Add/Remove Programs in the Control Panel (if present):

I'll post back on Thursday..........

Kenny94 · January 6, 2010

Hi bigwilltillidie

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\ds32gt8.dll
Driver::
bkgc

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

bigwilltillidie · January 6, 2010

Here you go

ComboFix.txt

hijackthis_log2.txt

Kenny94 · January 6, 2010

Looks good bigwilltillidie. Let run a few more scans. Smile we are getting closer. Good job you done there.

Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

Please go here then click on:
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

MBAM Report

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

bigwilltillidie · January 7, 2010

I haven't noticed anything out of the ordinary for a bit, not since I got redirected after running Combo-fix for the first time. But it seems like the ESET scan found some things.

Malwarebytes Log

Malwarebytes' Anti-Malware 1.43

Database version: 3504

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/6/2010 3:04:29 PM

mbam-log-2010-01-06 (15-04-29).txt

Scan type: Quick Scan

Objects scanned: 208979

Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ESET Online Scanner Log

C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-724751d5 probably a variant of Win32/Agent trojan

C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\49\35217071-3019301d probably a variant of Win32/Agent trojan

C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\38\2ebfd1a6-34cc6c18 probably a variant of Java/TrojanDownloader.OpenStream.NAD trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\AGikTvut.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\AGikTvut.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\avkbafmh.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\BdJRrqss.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\BdJRrqss.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\beyxfljd.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\dephhjun.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\eNorqtwa.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\eNorqtwa.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\eqdlrhlb.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\ixqcilfp.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir a variant of Win32/Bamital.B trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\KQsvyccf.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\KQsvyccf.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\liluqhwp.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\lxmwoalj.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\mfhgkdfu.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\oVyaGfhk.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\oVyaGfhk.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\OVyycJlm.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\OVyycJlm.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\padncaps.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\QqtsYJlm.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\QqtsYJlm.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\rfgfcftq.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\rtmrtthn.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\tmnmxtwv.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\vDKjSvut.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\vDKjSvut.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\waGOoUvw.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\waGOoUvw.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\wgdrhafg.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\wgshkgyg.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\xgscwsfj.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\YIlknUtv.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\YIlknUtv.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\yntdtynp.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\psukox.sys.vir a variant of Win32/Rootkit.Kryptik.AF trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_psukox_.sys.zip a variant of Win32/Rootkit.Kryptik.AF trojan

Security Check

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee SecurityCenter

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

SUPERAntiSpyware Free Edition

Java Web Start

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 5

Java 2 Runtime Environment, SE v1.4.1_07

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

Kenny94 · January 7, 2010

The "C:\Qoobox" The Qoobox folder is a back up just in case ComboFix makes a mistake.

There are some older versions of Java on your computer. These can be a source of infection.

[

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 17 -"
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
  [*]Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  [*]Click OK to leave the Temporary Files Window
  [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_17 from Sun Microsystems Inc.

Some final items:

Follow these steps to uninstall Combofix and all of its files and components.

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

Make sure there's a space between Combofix and /

Then hit enter.

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Malware And Spyware Tips

It was a pleasure working with you.

Kenny

bigwilltillidie · January 7, 2010

THANKS FOR ALL YOUR HELP!!!

One last question for you though. I noticed when following your last bit of instructions that I had quite a few versions of Java to uninstall. So I'm guessing that whenever I update to a newer version, does that mean that it doesn't uninstall the previous one? Should I always go back and uninstall the older versions after I update java? Thanks again for all the help Kenny94!

Kenny94 · January 7, 2010

It better to remove all of them first:

Java

bigwilltillidie · January 8, 2010

Bad news, it's back again... It actually managed to disable Malwarebytes. I ran a scan with another program, removed what I could, and then reinstalled and updated Malwarebytes. I included a Hijackthis log from before I ran the first scan (just in case it might help), the log from a Malwarebytes quick scan, and a log from a hijackthis scan after the quick scan was completed.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 9:48:35 PM, on 1/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\smss32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\HIJACKTHIS\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe

O4 - HKLM\..\Run: [movanokig] Rundll32.exe "c:\windows\system32\fokazifi.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [spybotDeletingA8270] command.com /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7911] cmd.exe /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA288] command.com /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC703] cmd.exe /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5384] command.com /c del "C:\WINDOWS\wt\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingC1472] cmd.exe /c del "C:\WINDOWS\wt\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingA2849] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC3578] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4092] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC3511] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5587] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7871] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4834] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7133] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5843] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC1422] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4716] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"

O4 - HKLM\..\RunOnce: [spybotDeletingC5577] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"

O4 - HKLM\..\RunOnce: [spybotDeletingA1861] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7606] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA9492] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC109] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1248] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC8267] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA1439] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC6515] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5179] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC3976] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1516] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingC4792] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingA2770] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"

O4 - HKLM\..\RunOnce: [spybotDeletingC984] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"

O4 - HKLM\..\RunOnce: [spybotDeletingA2367] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"

O4 - HKLM\..\RunOnce: [spybotDeletingC3906] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"

O4 - HKLM\..\RunOnce: [spybotDeletingA9078] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7420] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA7261] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingC3199] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingA1721] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC685] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1716] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7971] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA2546] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"

O4 - HKLM\..\RunOnce: [spybotDeletingC3927] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"

O4 - HKLM\..\RunOnce: [spybotDeletingA1540] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"

O4 - HKLM\..\RunOnce: [spybotDeletingC9322] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"

O4 - HKLM\..\RunOnce: [spybotDeletingA363] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingC3733] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingA6141] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7559] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA9365] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC909] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA5745] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7884] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA6798] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC6319] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA4223] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC1416] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA9816] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"

O4 - HKLM\..\RunOnce: [spybotDeletingC4467] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"

O4 - HKLM\..\RunOnce: [spybotDeletingA3924] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC2191] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1924] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC8609] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1385] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC7176] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA7046] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"

O4 - HKLM\..\RunOnce: [spybotDeletingC9737] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"

O4 - HKLM\..\RunOnce: [spybotDeletingA3798] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC5959] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA9749] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"

O4 - HKLM\..\RunOnce: [spybotDeletingC3891] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"

O4 - HKLM\..\RunOnce: [spybotDeletingA3006] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingC2796] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingA3953] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingC83] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingC2538] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA7928] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingC5202] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingA4459] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"

O4 - HKLM\..\RunOnce: [spybotDeletingC2321] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"

O4 - HKLM\..\RunOnce: [spybotDeletingA9486] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC8709] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA9225] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC8926] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA9926] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC9854] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA1325] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingC4107] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"

O4 - HKLM\..\RunOnce: [spybotDeletingA4574] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC8494] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA494] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"

O4 - HKLM\..\RunOnce: [spybotDeletingC2225] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"

O4 - HKLM\..\RunOnce: [spybotDeletingA3558] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"

O4 - HKLM\..\RunOnce: [spybotDeletingC2541] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"

O4 - HKLM\..\RunOnce: [spybotDeletingA8467] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"

O4 - HKLM\..\RunOnce: [spybotDeletingC2769] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"

O4 - HKLM\..\RunOnce: [spybotDeletingA3419] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingC2995] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingA7862] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC363] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA198] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingC4967] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA93] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingC8551] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingA9790] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"

O4 - HKLM\..\RunOnce: [spybotDeletingC7620] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"

O4 - HKLM\..\RunOnce: [spybotDeletingA4549] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingC6989] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"

O4 - HKLM\..\RunOnce: [spybotDeletingA3139] command.com /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingC5474] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"

O4 - HKLM\..\RunOnce: [spybotDeletingA4209] command.com /c del "C:\WINDOWS\system32\biyedepu.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC2068] cmd.exe /c del "C:\WINDOWS\system32\biyedepu.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA9561] command.com /c del "C:\WINDOWS\system32\nuvameje.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC6492] cmd.exe /c del "C:\WINDOWS\system32\nuvameje.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA2676] command.com /c del "c:\windows\system32\fokazifi.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC3476] cmd.exe /c del "c:\windows\system32\fokazifi.dll_old"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [spybotDeletingB969] command.com /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD1119] cmd.exe /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB2509] command.com /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD9859] cmd.exe /c del "C:\WINDOWS\wt\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB4795] command.com /c del "C:\WINDOWS\wt\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingD6910] cmd.exe /c del "C:\WINDOWS\wt\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingB3055] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD2022] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB6493] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD8617] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB4779] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD9443] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB152] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD1289] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB2603] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD7915] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB2653] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"

O4 - HKCU\..\RunOnce: [spybotDeletingD5659] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"

O4 - HKCU\..\RunOnce: [spybotDeletingB5386] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD4227] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB3324] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD227] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB8809] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"

O4 - HKCU\..\RunOnce: [spybotDeletingD728] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"

O4 - HKCU\..\RunOnce: [spybotDeletingB3911] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD5754] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB3359] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD6500] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB5140] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingD7353] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingB8445] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"

O4 - HKCU\..\RunOnce: [spybotDeletingD9068] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"

O4 - HKCU\..\RunOnce: [spybotDeletingB2401] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"

O4 - HKCU\..\RunOnce: [spybotDeletingD5829] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"

O4 - HKCU\..\RunOnce: [spybotDeletingB3150] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD1251] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB8194] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingD2484] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingB4555] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD5243] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB4353] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD8996] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB8805] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"

O4 - HKCU\..\RunOnce: [spybotDeletingD8240] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"

O4 - HKCU\..\RunOnce: [spybotDeletingB7260] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"

O4 - HKCU\..\RunOnce: [spybotDeletingD9270] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"

O4 - HKCU\..\RunOnce: [spybotDeletingB2635] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingD5167] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingB1348] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD1321] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB9158] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD8859] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB5243] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD4617] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB8952] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD4567] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB325] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD6222] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB1921] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"

O4 - HKCU\..\RunOnce: [spybotDeletingD1364] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"

O4 - HKCU\..\RunOnce: [spybotDeletingB3864] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD5049] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB1961] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD4048] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB1229] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD81] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB4610] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"

O4 - HKCU\..\RunOnce: [spybotDeletingD2434] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"

O4 - HKCU\..\RunOnce: [spybotDeletingB7239] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD2690] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB4300] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"

O4 - HKCU\..\RunOnce: [spybotDeletingD5933] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"

O4 - HKCU\..\RunOnce: [spybotDeletingB282] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingD8037] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingB1096] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingD4557] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingB9519] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD6159] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB671] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingD83] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingB2505] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"

O4 - HKCU\..\RunOnce: [spybotDeletingD5772] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"

O4 - HKCU\..\RunOnce: [spybotDeletingB8665] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"

O4 - HKCU\..\RunOnce: [spybotDeletingD7953] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"

O4 - HKCU\..\RunOnce: [spybotDeletingB8286] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD6990] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB3728] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD337] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB8646] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingD169] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"

O4 - HKCU\..\RunOnce: [spybotDeletingB338] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD5232] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB9565] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"

O4 - HKCU\..\RunOnce: [spybotDeletingD9248] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"

O4 - HKCU\..\RunOnce: [spybotDeletingB7429] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"

O4 - HKCU\..\RunOnce: [spybotDeletingD7047] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"

O4 - HKCU\..\RunOnce: [spybotDeletingB1585] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"

O4 - HKCU\..\RunOnce: [spybotDeletingD2429] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"

O4 - HKCU\..\RunOnce: [spybotDeletingB5971] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingD5907] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingB3719] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD719] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB8174] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingD7627] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"

O4 - HKCU\..\RunOnce: [spybotDeletingB3578] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingD2988] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingB6620] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"

O4 - HKCU\..\RunOnce: [spybotDeletingD3006] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"

O4 - HKCU\..\RunOnce: [spybotDeletingB1243] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingD1596] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"

O4 - HKCU\..\RunOnce: [spybotDeletingB7669] command.com /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingD784] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"

O4 - HKCU\..\RunOnce: [spybotDeletingB1973] command.com /c del "C:\WINDOWS\system32\biyedepu.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD583] cmd.exe /c del "C:\WINDOWS\system32\biyedepu.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB3044] command.com /c del "C:\WINDOWS\system32\nuvameje.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD5704] cmd.exe /c del "C:\WINDOWS\system32\nuvameje.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB3545] command.com /c del "c:\windows\system32\fokazifi.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD2223] cmd.exe /c del "c:\windows\system32\fokazifi.dll_old"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com

O15 - Trusted Zone: www.christinamilian.com

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D9BAD161-5C29-44D7-84B9-920A10D57C24}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.254

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: biyedepu.dll c:\windows\system32\fokazifi.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O21 - SSODL: doyosovis - {ea6c5766-7e6a-48f0-9053-dcc6c1e1c712} - c:\windows\system32\fokazifi.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: jugezatag - {ea6c5766-7e6a-48f0-9053-dcc6c1e1c712} - c:\windows\system32\fokazifi.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe