My,my there was some stuff hiding in there. Dss does go on line for file verification, perhaps that was the problem. Regardless, let's carry on.
You have at least one remote access critter on your computer. So good choice in staying off the net. Please use a cd if possible to transfer programs to the infected computer. After running the following two fixes, you should be able to go on the net to post the logs/results.
* Download
SDFix and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
* Open HJT, run a system scan only, check mark these lines if present
O20 - Winlogon Notify: yayvssr - yayvssr.dll (file missing) Close all other browsers/windows, click fix, close HJT.
Please follow all previous instructions regarding security programs. * Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename:
"CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File::
C:\WINDOWS\system32\dnaetsjx.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\whmaxusn.exe
C:\WINDOWS\system32\cehoeu.exe
C:\WINDOWS\system32\dxysktqf.exe
C:\WINDOWS\system32\fcpftfn.exe
C:\1.vbs
C:\WINDOWS\system32\amaw.exe
C:\WINDOWS\system32\oayac.exe
C:\WINDOWS\system32\cxupaguk.exe
C:\WINDOWS\system32\exurhklj.exe
C:\WINDOWS\system32\fwbfxsei.dll
C:\WINDOWS\system32\exurhklj.exe
C:\WINDOWS\system32\eksr.exe
C:\WINDOWS\system32\kltwcqo.exe
C:\WINDOWS\system32\hszvrs.exe
C:\WINDOWS\system32\jwdy.exe
C:\WINDOWS\system32\gbfv.exe
DirLook::
C:\e9907a5f6dfc19d5f1d6
Regisrty::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\jwdy.exe"=-
This will start ComboFix again.
Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
Please submit these files for analysis
To submit a file to virustoal, please click om this link
www.virustotal.comcopy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\WINDOWS\system32\mpgvl.exe
C:\WINDOWS\.compaq.bak
C:\WINDOWS\nsreg.dat
scroll down a bit and click "send file", wait for the results and post then in your next reply.
* Please try to turn on the windows firewall before going on the internet. If you are unable to do so, please follow these instructions.
Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zipUnzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)
In the dialog that opens enter the following:(copy and paste is fine).
EnableFirewallPress 'OK'
The search will run for a while then alert you when it is finished.
Press 'OK' and copy the contents of the WordPad window and post in this thread.
Try to turn the firewall on.
In your next reply, I will need the SDfix results, the combofix.txt, virustotal results, firewall fix results(if used), and a new HJT log(ran after everything else).
Thanks
ps: at least the 02 lines are visible now.