P2P: As long as you're doing file sharing, you're going to get malware. Please see P2P Warning in Step 3.
C:\Program Files\uTorrent\utorrent.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
FYI: when the Mbam results come back showing
No action taken it means that the following wasn't done:
* Make sure that everything is checked, and click Remove Selected.
Malwarebytes needs to be UPDATED and run again with this checked. The infection isn't 'coming back'- it wasn't removed!
Superantispyware has a similar line:
* Make sure everything found has a checkmark next to it,then press 'Next'
Same thing> if it wasn't checked, malware wasn't removed.
So the Vundo infection remains. Understand: it's not a matter of "still infected"- it's a matter of not removing the malware due to not following directions in the cleaning programs.
Please open HijackThis, and select
Do a system scan only.
Place a checkmark next to the following entries (if present):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://order.kagi.com/?6FAEY
(FYI: From time to time Kagi may use external service providers who need to know all your financial payment information to help verify the information provided or to help Kagi make business decisions.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\system.exe,>> a Backdoor W32.Spybot.OBB
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {8DF6AD7A-3096-49A3-96FF-9ED869DA8AC1} - c:\windows\system32\jvrbjiu.dll
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: nauzbsuj - C:\WINDOWS\SYSTEM32\jvrbjiu.dll
Then, close all other open windows, leaving only HijackThis open, and select
Fix checked.
Please download ComboFix
HERE
With ComboFix, at the download window, please
rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
•
Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Rescan with HijackThis AFTER running Malwarebytes again and Combofix. Attach all logs and reports.