Hi I got this malware called Rapid Antivirus messing up my computer. How can I remove it?? The computer got his own life since I got that virus. Please help!!

Run the following scans and post their logs. Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. If you have trouble installing or running MalwareBytes or Hijack This do the following: If you got them downloaded rename the setup file then try installing them again. Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder: C:\Programs Files\Malwarebytes' AntiMalware Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again. For Hijack This rename the Hijack This.exe file to something else and try installing it again.

I did what you asked me to do. So here are the logs: HiJackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:29:51, on 2008-12-01 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\QuickTime\QTTask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\VisualTaskTips\VisualTaskTips.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [readmearmyaceball] C:\Documents and Settings\All Users\Application Data\wavecampreadmearmy\Bait Bind.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [inside defy] C:\DOCUME~1\Andreas\APPLIC~1\SAFEAC~1\Drv close up.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user') O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.... O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{715B779B-4F28-4883-95EF-F01A5105F5AE}: NameServer = 80.58.61.250,80.58.61.254 O17 - HKLM\System\CS1\Services\Tcpip\..\{715B779B-4F28-4883-95EF-F01A5105F5AE}: NameServer = 80.58.61.250,80.58.61.254 O17 - HKLM\System\CS2\Services\Tcpip\..\{715B779B-4F28-4883-95EF-F01A5105F5AE}: NameServer = 80.58.61.250,80.58.61.254 O17 - HKLM\System\CS3\Services\Tcpip\..\{715B779B-4F28-4883-95EF-F01A5105F5AE}: NameServer = 80.58.61.250,80.58.61.254 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- End of file - 7595 bytes MBAM-log:Malwarebytes' Anti-Malware 1.30 Databasversion: 1441 Windows 5.1.2600 Service Pack 3 2008-12-01 14:58:20 mbam-log-2008-12-01 (14-58-20).txt Skanningstyp: Snabb skanning Antal skannade objekt: 46751 Förfluten tid: 4 minute(s), 0 second(s) Infekterade minnesprocesser: 2 Infekterade minnesmoduler: 0 Infekterade registernycklar: 6 Infekterade registervärden: 3 Infekterade registerdataposter: 0 Infekterade mappar: 3 Infekterade filer: 9 Infekterade minnesprocesser: C:\Documents and Settings\Andreas\Local Settings\Temp\_5849_fHx8fDI1fHx8_.dbx (Rogue.Installer) -> Unloaded process successfully. C:\WINDOWS\system32\msiconf.exe (Trojan.Downloader) -> Unloaded process successfully. Infekterade minnesmoduler: (Inga illasinnade poster hittades) Infekterade registernycklar: HKEY_CURRENT_USER\SOFTWARE\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{dbabe5e3-bba4-3286-9aa2-0f16894a8ae2} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{0c178018-18ae-38d1-a3d6-d9692197b0f4} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ee854086-dd86-38ff-b321-b9a77b19048b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ee854086-dd86-38ff-b321-b9a77b19048b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ee854086-dd86-38ff-b321-b9a77b19048b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Infekterade registervärden: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\netsearchsoft.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.netsearchsoft.com (Malware.Trace) -> Quarantined and deleted successfully. Infekterade registerdataposter: (Inga illasinnade poster hittades) Infekterade mappar: C:\Program Files\WMVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully. C:\Documents and Settings\Andreas\Application Data\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully. Infekterade filer: C:\Documents and Settings\Andreas\Local Settings\Temp\_5849_fHx8fDI1fHx8_.dbx (Rogue.Installer) -> Delete on reboot. C:\Program Files\WMVideoPlugin\80_25.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\Rapid Antivirus\Uninstall.exe (Rogue.RapidAntivirus) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\Best BDSM P0rn.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\Gay Fetish Sex.url (Rogue.Link) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msiconf.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mws37678.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\ws37678.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. There were 2 files deleted after the restart that couldn´t be deleted first. Made a new scan after that and it seems like there are no more infected files.

You are still infected with a different baddie. Your java is out of date and may have been exploited. Download the latest version of java from this link Java Click on the JRE 6 Update 10 download button. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version. Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Avast antivirus, and any antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

Hi again this is the first log I got from combofix: ComboFix 08-12-01.03 - Andreas 2008-12-02 20:38:29.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.263 [GMT 0:00] Running from: c:\documents and settings\Andreas\Desktop\ComboFix.exe * Created a new restore point [COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\download plugin c:\program files\download plugin\DlPlugin-Moz\buddy.dat c:\program files\download plugin\DlPlugin-Moz\vendor.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 ))))))))))))))))))))))))))))))) . 2008-12-02 20:13 . 2008-12-02 20:13 410,976 --a------ c:\windows\system32\deploytk.dll 2008-12-02 20:13 . 2008-12-02 20:13 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-01 20:33 . 2008-12-01 20:33 <DIR> d-------- c:\program files\AliveMedia 2008-12-01 20:10 . 2008-12-01 20:13 <DIR> d-------- c:\program files\Free Audio Pack 2008-12-01 18:24 . 2008-12-01 18:24 <DIR> d-------- c:\program files\NCH Software 2008-12-01 14:46 . 2008-12-01 14:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-01 14:46 . 2008-12-01 14:46 <DIR> d-------- c:\documents and settings\Andreas\Application Data\Malwarebytes 2008-12-01 14:46 . 2008-12-01 14:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-01 14:46 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-01 14:46 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-01 11:35 . 2008-12-01 11:35 <DIR> d-------- c:\program files\Trend Micro 2008-12-01 10:37 . 2008-12-01 10:37 <DIR> d-------- C:\!KillBox 2008-12-01 10:36 . 2008-12-01 10:36 <DIR> d-------- c:\windows\system32\vmm32 2008-12-01 10:35 . 2008-12-01 10:35 <DIR> d-------- c:\program files\Dell 2008-12-01 10:21 . 2008-12-01 10:21 <DIR> d-------- c:\documents and settings\Andreas\Application Data\Uniblue 2008-11-28 12:54 . 2008-11-28 13:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-28 12:24 . 2008-11-28 12:24 <DIR> d-------- c:\documents and settings\Andreas\Application Data\_5849_fHx8fDI1fHx8_ 2008-11-28 12:15 . 2008-12-02 19:39 <DIR> d-------- c:\program files\Cool Audio Converter Pro 2008-11-28 11:48 . 2008-11-28 11:48 <DIR> d-------- c:\program files\4U Computing 2008-11-28 11:48 . 2002-12-03 03:11 143,872 --a------ c:\windows\system32\NCTWMAFile.dll 2008-11-12 11:08 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 11:04 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-02 20:35 --------- d-----w c:\documents and settings\Andreas\Application Data\uTorrent 2008-12-02 20:13 --------- d-----w c:\program files\Java 2008-12-02 19:58 --------- d-----w c:\documents and settings\Andreas\Application Data\OpenOffice.org2 2008-12-02 19:45 --------- d-----w c:\program files\Windows Live 2008-12-02 19:44 --------- d-----w c:\program files\URUSoft 2008-12-02 19:40 --------- d-----w c:\program files\NCH Swift Sound 2008-11-28 13:17 --------- d-----w c:\program files\Common Files\Download Manager 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 15:17 --------- d-----w c:\program files\SmartFTP Client 2008-10-06 20:02 --------- d-----w c:\program files\NOS 2008-10-06 20:02 --------- d-----w c:\documents and settings\All Users\Application Data\NOS 2008-10-02 16:29 --------- d-----w c:\documents and settings\Andreas\Application Data\SmartFTP 2008-03-14 22:26 51,973 ----a-w c:\program files\openoffice.org-onlineupdate.cab 2008-03-14 22:26 37,375 ----a-w c:\program files\openoffice.org-xsltfilter.cab 2008-03-14 22:26 207,388 ----a-w c:\program files\openoffice.org-testtool.cab 2008-03-14 22:26 2,504,855 ----a-w c:\program files\openoffice.org-pyuno.cab 2008-03-14 22:26 2,489,204 ----a-w c:\program files\openoffice.org-writer.cab 2008-03-14 22:26 1,090,334 ----a-w c:\program files\openoffice.org-math.cab 2008-03-14 22:25 919,329 ----a-w c:\program files\openoffice.org-draw.cab 2008-03-14 22:25 86,870 ----a-w c:\program files\openoffice.org-graphicfilter.cab 2008-03-14 22:25 3,842,531 ----a-w c:\program files\openoffice.org-core07.cab 2008-03-14 22:25 293,054 ----a-w c:\program files\openoffice.org-core08.cab 2008-03-14 22:25 28,861,971 ----a-w c:\program files\openoffice.org-core06.cab 2008-03-14 22:25 2,769 ----a-w c:\program files\openoffice.org-emailmerge.cab 2008-03-14 22:25 2,031,954 ----a-w c:\program files\openoffice.org-core09.cab 2008-03-14 22:25 118,910 ----a-w c:\program files\openoffice.org-javafilter.cab 2008-03-14 22:25 1,254,017 ----a-w c:\program files\openoffice.org-impress.cab 2008-03-14 22:21 18,636,793 ----a-w c:\program files\openoffice.org-core05.cab 2008-03-14 22:19 16,453,751 ----a-w c:\program files\openoffice.org-core04.cab 2008-03-14 22:18 9,118,219 ----a-w c:\program files\openoffice.org-core03.cab 2008-03-14 22:18 3,860,200 ----a-w c:\program files\openoffice.org-core02.cab 2008-03-14 22:18 15,102,497 ----a-w c:\program files\openoffice.org-core01.cab 2008-03-14 22:17 43,005 ----a-w c:\program files\openoffice.org-activex.cab 2008-03-14 22:17 4,696,905 ----a-w c:\program files\openoffice.org-calc.cab 2008-03-14 22:17 4,372,992 ----a-w c:\program files\openofficeorg24.msi 2008-03-14 22:17 217 ----a-w c:\program files\setup.ini 2008-03-14 22:17 1,802,028 ----a-w c:\program files\openoffice.org-base.cab 2006-11-17 13:15 5,900,416 ----a-w c:\program files\Firefox Setup 2[1].0.exe 2006-09-26 19:18 2,625,265 ----a-w c:\program files\openofficeorg4.cab 2006-09-26 19:17 56,053,978 ----a-w c:\program files\openofficeorg3.cab 2006-09-26 19:11 17,831,342 ----a-w c:\program files\openofficeorg1.cab 2006-09-26 19:11 15,305,884 ----a-w c:\program files\openofficeorg2.cab 2006-09-26 19:09 5,289,984 ----a-w c:\program files\openofficeorg20.msi 2002-03-11 09:06 1,822,520 ----a-w c:\program files\instmsiw.exe 2002-03-11 08:45 1,708,856 ----a-w c:\program files\instmsia.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 5724184] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024] "VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2008-03-09 61440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688] "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-08 864256] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2005-05-20 10:51 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-17 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-17 20560] R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae723fcd-87e9-11dc-bf31-00167695bff2}] \Shell\AutoRun\command - F:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c488c607-e76c-11db-bf0b-00167695bff2}] \Shell\AutoRun\command - wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc64da74-2120-11dd-bf52-00167695bff2}] \Shell\AutoRun\command - F:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder 2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-12-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.exe [2007-10-19 11:20] . - - - - ORPHANS REMOVED - - - - HKCU-Run-inside defy - c:\docume~1\Andreas\APPLIC~1\SAFEAC~1\Drv close up.exe HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe HKLM-Run-readmearmyaceball - c:\documents and settings\All Users\Application Data\wavecampreadmearmy\Bait Bind.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Andreas\Application Data\Mozilla\Firefox\Profiles\x8u3v0yf.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.hosting.speednames.com/ FF -: plugin - c:\documents and settings\Andreas\Application Data\Mozilla\Firefox\Profiles\x8u3v0yf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07061050.dll FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-02 20:43:14 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . r Running Proce . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe c:\windows\system32\wdfmgr.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\program files\Alwil Software\Avast4\ashDisp.exe c:\program files\Common Files\Nero\Lib\NMIndexingService.exe c:\program files\OpenOffice.org 2.4\program\soffice.exe c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe c:\program files\OpenOffice.org 2.4\program\soffice.bin . ************************************************************************** . Completion time: 2008-12-02 20:46:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-02 20:45:40 Pre-Run: 36 171 563 008 bytes free Post-Run: 36,121,989,120 bytes free 196 --- E O F --- 2008-11-13 03:03:09

Hi, this is the second log from Combofix. Is everything good now? ComboFix 08-12-01.03 - Andreas 2008-12-02 21:06:01.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.207 [GMT 0:00] Running from: c:\documents and settings\Andreas\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 ))))))))))))))))))))))))))))))) . 2008-12-02 20:13 . 2008-12-02 20:13 410,976 --a------ c:\windows\system32\deploytk.dll 2008-12-02 20:13 . 2008-12-02 20:13 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-01 20:33 . 2008-12-01 20:33 <DIR> d-------- c:\program files\AliveMedia 2008-12-01 20:10 . 2008-12-01 20:13 <DIR> d-------- c:\program files\Free Audio Pack 2008-12-01 18:24 . 2008-12-01 18:24 <DIR> d-------- c:\program files\NCH Software 2008-12-01 14:46 . 2008-12-01 14:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-01 14:46 . 2008-12-01 14:46 <DIR> d-------- c:\documents and settings\Andreas\Application Data\Malwarebytes 2008-12-01 14:46 . 2008-12-01 14:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-01 14:46 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-01 14:46 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-01 11:35 . 2008-12-01 11:35 <DIR> d-------- c:\program files\Trend Micro 2008-12-01 10:37 . 2008-12-01 10:37 <DIR> d-------- C:\!KillBox 2008-12-01 10:36 . 2008-12-01 10:36 <DIR> d-------- c:\windows\system32\vmm32 2008-12-01 10:35 . 2008-12-01 10:35 <DIR> d-------- c:\program files\Dell 2008-12-01 10:21 . 2008-12-01 10:21 <DIR> d-------- c:\documents and settings\Andreas\Application Data\Uniblue 2008-11-28 12:54 . 2008-11-28 13:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-28 12:24 . 2008-11-28 12:24 <DIR> d-------- c:\documents and settings\Andreas\Application Data\_5849_fHx8fDI1fHx8_ 2008-11-28 12:15 . 2008-12-02 19:39 <DIR> d-------- c:\program files\Cool Audio Converter Pro 2008-11-28 11:48 . 2008-11-28 11:48 <DIR> d-------- c:\program files\4U Computing 2008-11-28 11:48 . 2002-12-03 03:11 143,872 --a------ c:\windows\system32\NCTWMAFile.dll 2008-11-12 11:08 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 11:04 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-02 20:44 --------- d-----w c:\documents and settings\Andreas\Application Data\OpenOffice.org2 2008-12-02 20:35 --------- d-----w c:\documents and settings\Andreas\Application Data\uTorrent 2008-12-02 20:13 --------- d-----w c:\program files\Java 2008-12-02 19:45 --------- d-----w c:\program files\Windows Live 2008-12-02 19:44 --------- d-----w c:\program files\URUSoft 2008-12-02 19:40 --------- d-----w c:\program files\NCH Swift Sound 2008-11-28 13:17 --------- d-----w c:\program files\Common Files\Download Manager 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 15:17 --------- d-----w c:\program files\SmartFTP Client 2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-06 20:02 --------- d-----w c:\program files\NOS 2008-10-06 20:02 --------- d-----w c:\documents and settings\All Users\Application Data\NOS 2008-10-02 16:29 --------- d-----w c:\documents and settings\Andreas\Application Data\SmartFTP 2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-03-14 22:26 51,973 ----a-w c:\program files\openoffice.org-onlineupdate.cab 2008-03-14 22:26 37,375 ----a-w c:\program files\openoffice.org-xsltfilter.cab 2008-03-14 22:26 207,388 ----a-w c:\program files\openoffice.org-testtool.cab 2008-03-14 22:26 2,504,855 ----a-w c:\program files\openoffice.org-pyuno.cab 2008-03-14 22:26 2,489,204 ----a-w c:\program files\openoffice.org-writer.cab 2008-03-14 22:26 1,090,334 ----a-w c:\program files\openoffice.org-math.cab 2008-03-14 22:25 919,329 ----a-w c:\program files\openoffice.org-draw.cab 2008-03-14 22:25 86,870 ----a-w c:\program files\openoffice.org-graphicfilter.cab 2008-03-14 22:25 3,842,531 ----a-w c:\program files\openoffice.org-core07.cab 2008-03-14 22:25 293,054 ----a-w c:\program files\openoffice.org-core08.cab 2008-03-14 22:25 28,861,971 ----a-w c:\program files\openoffice.org-core06.cab 2008-03-14 22:25 2,769 ----a-w c:\program files\openoffice.org-emailmerge.cab 2008-03-14 22:25 2,031,954 ----a-w c:\program files\openoffice.org-core09.cab 2008-03-14 22:25 118,910 ----a-w c:\program files\openoffice.org-javafilter.cab 2008-03-14 22:25 1,254,017 ----a-w c:\program files\openoffice.org-impress.cab 2008-03-14 22:21 18,636,793 ----a-w c:\program files\openoffice.org-core05.cab 2008-03-14 22:19 16,453,751 ----a-w c:\program files\openoffice.org-core04.cab 2008-03-14 22:18 9,118,219 ----a-w c:\program files\openoffice.org-core03.cab 2008-03-14 22:18 3,860,200 ----a-w c:\program files\openoffice.org-core02.cab 2008-03-14 22:18 15,102,497 ----a-w c:\program files\openoffice.org-core01.cab 2008-03-14 22:17 43,005 ----a-w c:\program files\openoffice.org-activex.cab 2008-03-14 22:17 4,696,905 ----a-w c:\program files\openoffice.org-calc.cab 2008-03-14 22:17 4,372,992 ----a-w c:\program files\openofficeorg24.msi 2008-03-14 22:17 217 ----a-w c:\program files\setup.ini 2008-03-14 22:17 1,802,028 ----a-w c:\program files\openoffice.org-base.cab 2006-11-17 13:15 5,900,416 ----a-w c:\program files\Firefox Setup 2[1].0.exe 2006-09-26 19:18 2,625,265 ----a-w c:\program files\openofficeorg4.cab 2006-09-26 19:17 56,053,978 ----a-w c:\program files\openofficeorg3.cab 2006-09-26 19:11 17,831,342 ----a-w c:\program files\openofficeorg1.cab 2006-09-26 19:11 15,305,884 ----a-w c:\program files\openofficeorg2.cab 2006-09-26 19:09 5,289,984 ----a-w c:\program files\openofficeorg20.msi 2002-03-11 09:06 1,822,520 ----a-w c:\program files\instmsiw.exe 2002-03-11 08:45 1,708,856 ----a-w c:\program files\instmsia.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 5724184] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024] "VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2008-03-09 61440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688] "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-08 864256] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2005-05-20 10:51 8704 c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-17 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-17 20560] R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae723fcd-87e9-11dc-bf31-00167695bff2}] \Shell\AutoRun\command - F:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c488c607-e76c-11db-bf0b-00167695bff2}] \Shell\AutoRun\command - wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc64da74-2120-11dd-bf52-00167695bff2}] \Shell\AutoRun\command - F:\setupSNK.exe *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-12-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.exe [2007-10-19 11:20] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Andreas\Application Data\Mozilla\Firefox\Profiles\x8u3v0yf.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.hosting.speednames.com/ FF -: plugin - c:\documents and settings\Andreas\Application Data\Mozilla\Firefox\Profiles\x8u3v0yf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07061050.dll FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-02 21:08:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-12-02 21:10:13 ComboFix-quarantined-files.txt 2008-12-02 21:09:33 ComboFix2.txt 2008-12-02 20:46:01 Pre-Run: 36 107 481 088 bytes free Post-Run: 36,095,348,736 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 186 --- E O F --- 2008-11-13 03:03:09

Almost finished, looks better now. Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX KILLALL:: Folder:: c:\documents and settings\Andreas\Application Data\_5849_fHx8fDI1fHx8_ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Please run Esets online scanner from this link: ESET 1. Note: You will need to use Internet explorer for this scan 2. Tick the box next to YES, I accept the Terms of Use. 3. Click Start 4. When asked, allow the activex control to install 5. Click Start 6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked 7. Click Scan 8. Wait for the scan to finish 9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 10. Copy and paste that log in your next reply.