Antivirus 2009 has completely taken over my computer.

My computer has been taken over and I cannot run any real antivirus scans. Sometimes IE will not open and when it does it never take you to the adress you type in. Everything i try do to it takes over and does wierd stuff. System restore has been turn off and I cannot turn it back on. Registry editing has been disabled. I need help please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:42 PM, on 12/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winloggn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5XX24LI0\hijackgpthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ddcBQJbY.dll
O2 - BHO: (no name) - {99829BB4-6EED-4BE8-9365-9E0077D6162B} - C:\WINDOWS\system32\jkkKbCtT.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {AC89739A-09F7-4DE6-B214-30838D557610} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [559178071] "C:\Documents and Settings\All Users\Application Data\25626139\559178071.exe"
O4 - HKLM\..\Run: [b05ad889] rundll32.exe "C:\WINDOWS\system32\dffdcyjj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Administrator\Application Data\Twain\Twain.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm00649US
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {BD4F7A6D-0107-4BDF-B72B-021B717B06CE} - http://scanner.msscanner.com/setup/setup.cab
O20 - AppInit_DLLs: fuxdih.dll zzaccl.dll gwhipb.dll, gzhify.dll dcdndg.dll xwtypu.dll fteaxo.dll
O20 - Winlogon Notify: ddcBQJbY - C:\WINDOWS\SYSTEM32\ddcBQJbY.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe

--
End of file - 11440 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ddcBQJbY.dll
  O2 - BHO: (no name) - {99829BB4-6EED-4BE8-9365-9E0077D6162B} - C:\WINDOWS\system32\jkkKbCtT.dll
  O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
  O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)
  O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
  O3 - Toolbar: (no name) - {AC89739A-09F7-4DE6-B214-30838D557610} - (no file)
  O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winloggn.exe
  O4 - HKLM\..\Run: [559178071] "C:\Documents and Settings\All Users\Application Data\25626139\559178071.exe"
  O4 - HKLM\..\Run: [b05ad889] rundll32.exe "C:\WINDOWS\system32\dffdcyjj.dll",b
  O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
  O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winloggn.exe
  O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
  O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
  O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Administrator\Application Data\Twain\Twain.exe
  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm00649US
  O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
  O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
  O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - (no file)
  O20 - AppInit_DLLs: fuxdih.dll zzaccl.dll gwhipb.dll, gzhify.dll dcdndg.dll xwtypu.dll fteaxo.dll
  O20 - Winlogon Notify: ddcBQJbY - C:\WINDOWS\SYSTEM32\ddcBQJbY.dll
  O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Ok I did the hijackthis thing and after I pressed fix checked I got 6 error messages stacked up together that all said Registry editing has been disabled by your administrator.

When I try to go to download Malwarebytes I get redirected and/or IE cannot display the webpage

Hello.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  [Version]
  Signature=$CHICAGO$
  
  [DefaultInstall]
  AddReg=Add.Settings
  
  [Add.Settings]
  HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000000
  
  

  
  
• Save this as fixreg.inf, save it to your desktop.
  
• Right click fixreg.inf and select install.
  

Registry editing is now enabled again, do the Hijack This fixed again.
See if it will allow you to get MBAM, if not we'll use something else to take out what we can see and that should halt the re-directs for the time being.

Hi,

Installed fixreg.inf but now it would let me do hijack again. It says it is already running but it isn't. and still will not let me go to MBAM

Do you know how to open the Task Manager?
If so, open it and locate Hijack This and end the process.

If not, here's how.
Right click anywhere on the task bar > Open "Task Manager"

It Is not running in the task manager

Okay.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\ddcBQJbY.dll
C:\WINDOWS\system32\jkkKbCtT.dll
C:\WINDOWS\system32\tyshb36rfjdf.dll
C:\WINDOWS\system32\dffdcyjj.dll
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\system32\fuxdih.dll
C:\WINDOWS\system32\zzaccl.dll
C:\WINDOWS\system32\gwhipb.dll
C:\WINDOWS\system32\gzhify.dll
C:\WINDOWS\system32\dcdndg.dll
C:\WINDOWS\system32\xwtypu.dll
C:\WINDOWS\system32\fteaxo.dll

Folders to delete:
C:\Documents and Settings\All Users\Application Data\25626139
C:\Documents and Settings\Administrator\Application Data\gadcom
C:\Documents and Settings\Administrator\Application Data\Twain

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

It Won't let me, says Internet Explorer cannot display the webpage

tdss rootkit.

Have uploaded the avenger here:
http://www.sendspace.com/file/u3a9rc

Download from there and follow my instructions carefully.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpqlt.sys
Driver disabled successfully.

Rootkit scan completed.

File "C:\WINDOWS\system32\ddcBQJbY.dll" deleted successfully.
File "C:\WINDOWS\system32\jkkKbCtT.dll" deleted successfully.
File "C:\WINDOWS\system32\tyshb36rfjdf.dll" deleted successfully.
File "C:\WINDOWS\system32\dffdcyjj.dll" deleted successfully.
File "C:\WINDOWS\system32\prunnet.exe" deleted successfully.
File "C:\WINDOWS\system32\fuxdih.dll" deleted successfully.
File "C:\WINDOWS\system32\zzaccl.dll" deleted successfully.
File "C:\WINDOWS\system32\gwhipb.dll" deleted successfully.
File "C:\WINDOWS\system32\gzhify.dll" deleted successfully.
File "C:\WINDOWS\system32\dcdndg.dll" deleted successfully.
File "C:\WINDOWS\system32\xwtypu.dll" deleted successfully.
File "C:\WINDOWS\system32\fteaxo.dll" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\25626139" deleted successfully.
Folder "C:\Documents and Settings\Administrator\Application Data\gadcom" deleted successfully.
Folder "C:\Documents and Settings\Administrator\Application Data\Twain" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

That has disabled the rootkit now, you can access MBAM link.
Please run MBAM now.

OK it let me download it and is now running the scan.
I really want to thank you for all of the time you are taking to help me.
Will let you know when the scan is finished but it has already found 45 infected objects in 3 minutes

Scan is finished here is the log

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2

12/28/2008 5:27:58 PM
mbam-log-2008-12-28 (17-27-58).txt

Scan type: Quick Scan
Objects scanned: 53047
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 30
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 46

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PCPrivacyCleaner (Rogue.PCPrivacyCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{65de966d-11d1-4bb1-bf7e-b8a273514daf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbqjby (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnskdfmf9eldfd (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\msskinner (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\sysiasvc32.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\msskinner\msbackup.dat (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmncjbqhoi_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmncjbqhoi_navps.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\__5.tmp (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnkKAQG.dll (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS3ec0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\__1.tmp (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winloggn.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\523004026.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\__3.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\__4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS3ecf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrxm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvkql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\ywqwt.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnkhiiF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lamujafi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtwsdijf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fyxygtcr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnoNffF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vyueghyw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcBQJbY.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cufobpat.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapbofuc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wyhgeuyv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Hello.
I bet the machine is feeling smoother already.
One last lookaround.

• Download combofix from here, use the top links - combofix.exe
  
• Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

It won't let me download it.

Says cannot rename ComboFix as ComboFix[1]
Please use another name, preferbaly made up of alphanumeric characters

I did not try to rename i just clicked on the download button

Okay, lets use this.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)
  

This site tells me the posted message is too big

Okay, upload it to here:
http://www.sendspace.com

OK, I think I got it uploaded

Paste the download link for it please.

Thanks.
First, execute this reg fix.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
  "authentication packages"="msv1_0"
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
  "ForceClassicControlPanel"=-
  "NoFolderOptions"=-
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Second, what AV are you running? because I don't see one.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

We will carry this on once you have an AV installed and done the reg fix.

Sorry I do not understand the
First execute this reg fix

I do not have any AV right now was going to ask your advise about a good one

Okay.
All that is in the quote box, copy and paste it into a notepad file.
Save the notepad as fix.reg
If you have done it right, it will look like this:


Then double click it, and you get a registry merge prompt, yes or no.
Press yes and another prompt appears saying it was merged with the registry.

Please install one of the AV's I posted [don't install AVG, AVG doesn't like this next tool we need to use]

oh I got it, sorry I am pretty rumdum right now LOL :hmm:

OK done that

Okay.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  C:\WINDOWS\system32\jjycdffd.ini
  C:\WINDOWS\system32\pxdylkbo.dll
  C:\WINDOWS\msdownld.tmp
  C:\WINDOWS\system32\kvgkyjyv.ini
  C:\WINDOWS\system32\yhkjhsid.dll
  C:\WINDOWS\system32\otovhkfp.ini
  C:\WINDOWS\system32\jovhieih.dll
  C:\WINDOWS\system32\avtdcvvy.dll
  C:\WINDOWS\system32\iyqdvbie.dll
  C:\WINDOWS\system32\wwctjbih.ini
  C:\WINDOWS\system32\fxrakxqo.ini
  C:\WINDOWS\system32\bb791cf7-.txt
  C:\WINDOWS\system32\TtCbKkkj.ini2
  C:\WINDOWS\system32\TtCbKkkj.ini
  C:\WINDOWS\system32\vuzejofu.dll
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

DllUnregisterServer procedure not found in C:\WINDOWS\system32\pxdylkbo.dll
C:\WINDOWS\system32\pxdylkbo.dll NOT unregistered.
C:\WINDOWS\system32\pxdylkbo.dll moved successfully.
C:\WINDOWS\msdownld.tmp moved successfully.
C:\WINDOWS\system32\kvgkyjyv.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yhkjhsid.dll
C:\WINDOWS\system32\yhkjhsid.dll NOT unregistered.
C:\WINDOWS\system32\yhkjhsid.dll moved successfully.
C:\WINDOWS\system32\otovhkfp.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jovhieih.dll
C:\WINDOWS\system32\jovhieih.dll NOT unregistered.
C:\WINDOWS\system32\jovhieih.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\avtdcvvy.dll
C:\WINDOWS\system32\avtdcvvy.dll NOT unregistered.
C:\WINDOWS\system32\avtdcvvy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iyqdvbie.dll
C:\WINDOWS\system32\iyqdvbie.dll NOT unregistered.
C:\WINDOWS\system32\iyqdvbie.dll moved successfully.
C:\WINDOWS\system32\wwctjbih.ini moved successfully.
C:\WINDOWS\system32\fxrakxqo.ini moved successfully.
C:\WINDOWS\system32\bb791cf7-.txt moved successfully.
C:\WINDOWS\system32\TtCbKkkj.ini2 moved successfully.
C:\WINDOWS\system32\TtCbKkkj.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vuzejofu.dll
C:\WINDOWS\system32\vuzejofu.dll NOT unregistered.
C:\WINDOWS\system32\vuzejofu.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_660.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF7BFA.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12282008_185843

Hello.
What problems remain?

The only one i can see right now is when I open IE all of the pictures are little white boxes with red and blue shapes just like before

Lets see if it's just a cache problem.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Done that and it is still like that

Hmmm.
Press Start > Run
type in: cmd
Press enter.

Type in:
ipconfig /release <== note the space between the g and /
Press enter. (your net connection will break, only for a brief second)
Type in:
ipconfig /renew<== note the space between the g and /
Press enter.
Type in:
ipconfig /flushdns<== note the space between the g and /

I am Installing Avira right now, can I do both at one time?

No.
Install Avira first, then do the cmd commands.

OK did the cmd commands and the pictures sre still white boxes with red and blue shapes

Hmmm.
Press ctrl + F5 while browsing, see if that works.

NO it didn't help

I am running the Avira scan now and it has found 5 detections and 1 warning already, maybe this will fix the problem. If not I will let you know.

I do want to thank you for all of your help

Will love ya forever!!!!!!

The scan is 65% right now

OK scan finished
Avira AntiVir Personal
Report file date: 28 December 2008 19:52

Scanning for 1128441 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: DEFAULT

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 18/11/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 18:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 24/12/2008 01:40:00
ANTIVIR2.VDF : 7.1.1.34 2048 Bytes 24/12/2008 01:40:01
ANTIVIR3.VDF : 7.1.1.42 151552 Bytes 28/12/2008 01:40:08
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 14/10/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 29/12/2008 01:40:56
AESCN.DLL : 8.1.1.5 123251 Bytes 07/11/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 04/11/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 29/12/2008 01:40:51
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 29/12/2008 01:40:46
AEHELP.DLL : 8.1.2.0 119159 Bytes 29/12/2008 01:40:21
AEGEN.DLL : 8.1.1.8 323956 Bytes 29/12/2008 01:40:18
AEEMU.DLL : 8.1.0.9 393588 Bytes 14/10/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 29/12/2008 01:40:12
AEBB.DLL : 8.1.0.3 53618 Bytes 14/10/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 31/07/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/01/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 28 December 2008 19:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'Playlist.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'RegistryRepairPro.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'OpWareSE4.exe' - '1' Module(s) have been scanned
Scan process 'BJMYPRT.EXE' - '1' Module(s) have been scanned
Scan process 'eBayTBDaemon.exe' - '1' Module(s) have been scanned
Scan process 'DevDetect.exe' - '1' Module(s) have been scanned
Scan process 'Hpi_monitor.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'RxMon.exe' - '1' Module(s) have been scanned
Scan process 'DrgToDsc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'oodag.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\My Documents\SmitfraudFix.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\Agent.OMZ.Fix.exe
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '49c12e43.qua'!
C:\Documents and Settings\Administrator\My Documents\LimeWire\Incomplete\T-5745425-like jonny and june.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '498d2e11.qua'!
C:\Documents and Settings\Administrator\My Documents\LimeWire\Incomplete\T-5745425-Steve Earle - Copperhead road.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '498d2e18.qua'!
C:\Documents and Settings\Administrator\My Documents\LimeWire\Saved\Creedence Clearwater Revival - Up around the Bend.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '49bd2e9d.qua'!
C:\Documents and Settings\Administrator\My Documents\LimeWire\Saved\muddy water trace atkins.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '49bc2ec8.qua'!
C:\_OTMoveIt\MovedFiles\12282008_185843\WINDOWS\system32\avtdcvvy.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49cc35ef.qua'!
C:\_OTMoveIt\MovedFiles\12282008_185843\WINDOWS\system32\iyqdvbie.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49c935f6.qua'!
C:\_OTMoveIt\MovedFiles\12282008_185843\WINDOWS\system32\jovhieih.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49ce35f0.qua'!
C:\_OTMoveIt\MovedFiles\12282008_185843\WINDOWS\system32\pxdylkbo.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49bc35ff.qua'!
C:\_OTMoveIt\MovedFiles\12282008_185843\WINDOWS\system32\yhkjhsid.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49c335f3.qua'!


End of the scan: 28 December 2008 20:27
Used time: 35:22 Minute(s)

The scan has been done completely.

5707 Scanning directories
305667 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
10 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
305656 Files not concerned
7866 Archives were scanned
1 Warnings
10 Notes

Okay.
Your problem seems to be limewire.
The music files you downloaded were infected, so to prevent it happening again, please uninstall Limewire.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Limewire
  

Delete this folder:
C:\_OTMoveIt

What problems remain?

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.