We have a process for dealing with this, I would just like to make it simpler that is why I am trying a few things first.

*Hold down your windows key + R
*Type cmd
*hit enter

at the prompt type

ipconfig /flushdns
HIT ENTER
ipconfig /registerdns
HIT ENTER
netsh int ip reset resetlog.txt
HIT ENTER
netsh winsock reset
HIT ENTER

Yes I do think that would work, and I was going to ask you if you were on the infected computer or had access to another computer

It worked! I have combofix and sdfix logs attached. and fresh hjt!

spybot is still showing these keys trying to change, and i keep denying. and one is brastk. i guess its still not gone, exactly, but at least we're getting somewhere, right? :]

Attached Files

	combolog.txt (22.5 KB, 4 views)
	sdfixlog.txt (7.0 KB, 3 views)
	hijackthis4.txt (8.1 KB, 3 views)

Yes, give me a few to go through the logs and get the script put together.

Ok, one more then we will go for the script. I am just trying to get as much removed as possible to save myself from more work

http://users.telenet.be/marcvn/tools/haxfix.exe

A red "dos window" (dos box) will open with this options:

Select * 1. Make logfile


After running option 1, you will get a new menu with all options:

Select * 2. Run auto fix
------------------------------------------

Afterwards, please run me a fresh combofix log

ok, ran it through smoothly :]

attached is new combo log!

Attached Files

combolog2.txt (20.1 KB, 2 views)

Now we are getting there - do you have the haxfix log -

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

sorry, you didn't ask for that log :] here it is, i'll do the next step now!

Attached Files

haxlog.txt (2.1 KB, 1 views)

Good work, we are almost there.

okie doke, here are the new logs!

Attached Files

	hijackthis5.txt (7.3 KB, 1 views)
	combolog3.txt (20.1 KB, 1 views)

Getting better - I need more info from you

1) Did you pay for AVG AS, it looks like it might be the old stand alone one which no longer updates. - if this was from before they did away with it, and now it's bundled product.

2) Did you pay for Norton? And would you be willing to remove it to install a free product that will increase your protection.

==========================================

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Sorry to take long, had a long day! Here are the new logs you requested.

Attached Files

	combolog4.txt (17.8 KB, 1 views)
	hijackthis6.txt (7.5 KB, 1 views)

Almost there buddy,

Disable Teatimer

• Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
• Open Spybot S&D
• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {c5af42a3-94f3-42bd-f434-3604832c897d} - (no file)
  016 - DPF: {cafeefac-0014-0002-0000-abcdeffedcba} (Java Plug-in 1.4.2) -
  O16 - DPF: {cafeefac-0015-0000-0011-abcdeffedcba} -
  O20 - Winlogon Notify: opnoolbr - C:\WINDOWS\
  O20 - Winlogon Notify: vtUnlKDW - C:\WINDOWS\
  O20 - Winlogon Notify: zaimmnid - C:\WINDOWS\

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Now you can turn tea timer back on

See if you can make it through the 8 steps - http://www.techspot.com/vb/topic58138.html

ok, did the 8 steps. was able to download links! during scans though, Avira kept showing the keys trying to get in, but i denied them. will that be enough to have that program to keep them away? here are the logs from the 8-steps.

Attached Files

	SUPERAntiSpyware Scan Log - 11-20-2008 - 09-44-40.log (603 Bytes, 1 views)
	mbam-log-11-19-2008 (22-09-42).txt (867 Bytes, 1 views)
	hijackthis7.txt (8.4 KB, 1 views)

This thing is still downloading the same malware. Or the tools aren't removing it.

Update Avira and run a full scan with it, let it remove anything it finds

Keep your recycle bin empty

========================================================

KillBox

• Download KillBox and unzip/extract it to your desktop from HERE

Boot into safe mode and have hijackthis fix these entries, with nothing else open. You may want to copy this into notepad and save it to your desktop so that you have it while in safe mode

==========================================================

You are now in Safe mode and should have from HERE DOWN saved into a notepad.

Make sure teatimer is disabled:
Disable Teatimer

• Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
• Open Spybot S&D
• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

==========================================================

Launch Hijackthis now from safe mode, and check the following:

O2 - BHO: (no name) - {c5af42a3-94f3-42bd-f434-3604832c897d} - (no file)
O4 - HKCU\..\Run: [12CFG94-z641-2SF-N31P-5M1ER6H6L1] C:\RECYCLER\S-1-5-21-7661557338-4881073579-043968640-8610\winigon.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogun.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogin.exe
O16 - DPF: {cafeefac-0014-0002-0000-abcdeffedcba} -
O16 - DPF: {cafeefac-0015-0000-0011-abcdeffedcba} -
O20 - Winlogon Notify: vtUnlKDW - C:\WINDOWS\
O20 - Winlogon Notify: zaimmnid - C:\WINDOWS\

Close any windows, and click Fix Checked.
Close hijackthis.

---------------------------------------------------------------------------------

Still in safe mode:

• Launch Killbox and place a check in 'Delete on Reboot'.
• Click on All Files instead of single file.
  In the 'Full path of file to delete' box,copy and paste each of these:
  
  Code:

  C:\RECYCLER\S-1-5-21-7661557338-4881073579-043968640-8610\winigon.exe
  C:\WINDOWS\System32\rs32net.exe
  c:\documents and settings\JoJo's  'puter\Local Settings\Temp\winlogun.exe
  c:\documents and settings\JoJo's  'puter\Local Settings\Temp\winlogin.exe
  C:\WINDOWS\System32\vtUnlKDW.exe
  C:\WINDOWS\System32\zaimmnid.exe
  C:\WINDOWS\System32\vtUnlKDW.dll
  C:\WINDOWS\System32\zaimmnid.dll

• Then press the red button with the white cross. Click no when it ask to reboot until you have pasted them all.
• A confirmation box pops up asking if you want to reboot now. Select Yes
  
  If it doesn't reboot automatically,reboot manually.

-========================================================

Now let it restart into normal mode, run a fresh scan with hijackthis

Also let me know if Avira found anything.

Attach the hijackthis log scanned after the reboot to normal mode, and we can go from there

Blind,

I'm currently doing the next step (i'm on my boyfriend's laptop), and i don't understand how to get all the paths into the Killbox program? I copy one, paste it in the line, but then how do I get the next one to go in? I can't figure out how to get them all in (and yes, I have "All Files" selected).

After you paste one click the red button with white cross, then if it ask to reboot select 'no'

After you paste the last one and click the button, click 'yes' when it ask to reboot

alright, here is new hjt and avira log~!

Attached Files

	hijackthis8.txt (7.8 KB, 1 views)
	AVSCAN-20081120-135308-390E79A3.LOG (68.4 KB, 1 views)

Nicely done! Looks like we got it, just be careful what you allow to connect with Comodo, if you don't recognize something - google the file name before allowing it - or come ask me what it is.
=======================================================

Update your Java Runtime Environment

Many types of malware like to exploit out of date Java versions!GO HERE

Click on Verify Java

If you need to update your version:

• Select Free Java Download
• When it finds the newer version - Follow the
  on screen instructions (uncheck the yahoo toolbar option)
• After it installs the newest version Go back to Start -> Control Panel -> Add/remove programs
  (programs and features in vista)
• Uninstall any older versions of Java except the most current update that you just installed

====================================================

One more scan, if it comes up clean we can clean up and secure the system

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

again, sorry for the long wait, really busy here before the holidays :]

Attached Files

kaspersky.txt (1.4 KB, 2 views)