Infected laptop

[SuperDave]

ComboFix 08-03-26.3 - Dave's computer 2008-03-27 16:01:33.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.1150 [GMT -3:00]
Running from: C:\Users\Dave's computer\Desktop\CF.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2008-02-27 to 2008-03-27  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 18:51   ---------   d---a-w   C:\ProgramData\TEMP
2008-03-27 18:39   ---------   d-----w   C:\ProgramData\Symantec
2008-03-27 15:41   47,104   ----a-w   C:\Windows\System32\rpcnet.dll
2008-03-27 15:41   17,408   ----a-w   C:\Windows\System32\rpcnetp.exe
2008-03-27 15:38   ---------   d-----w   C:\Program Files\Ahead
2008-03-27 15:12   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-03-27 01:32   17,408   ----a-w   C:\Windows\System32\rpcnetp.dll
2008-03-27 00:44   ---------   d-----w   C:\Program Files\vanBasco's Karaoke Player
2008-03-26 23:03   ---------   d-----w   C:\Program Files\Java
2008-03-26 21:25   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-03-26 19:29   ---------   d-----w   C:\Users\Dave's computer\AppData\Roaming\Malwarebytes
2008-03-26 19:29   ---------   d-----w   C:\ProgramData\Malwarebytes
2008-03-26 19:29   ---------   d-----w   C:\Program Files\Malwarebytes' Anti-Malware
2008-03-26 18:47   ---------   d-----w   C:\ProgramData\Spybot - Search & Destroy
2008-03-26 13:54   102,664   ----a-w   C:\Windows\system32\drivers\tmcomm.sys
2008-03-26 11:45   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2008-03-26 01:55   ---------   d-----w   C:\ProgramData\SUPERAntiSpyware.com
2008-03-26 01:54   ---------   d-----w   C:\Users\Dave's computer\AppData\Roaming\SUPERAntiSpyware.com
2008-03-26 01:53   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 21:44   ---------   d-----w   C:\ProgramData\STOPzilla!
2008-03-25 20:30   ---------   d-----w   C:\ProgramData\SITEguard
2008-03-25 19:29   ---------   d-----w   C:\ProgramData\mjwvapap
2008-03-25 19:24   ---------   d-----w   C:\Program Files\Common Files\iS3
2008-03-25 16:52   98,304   ----a-w   C:\Windows\System32\lqjsxmde.exe
2008-03-25 16:07   98,304   ----a-w   C:\Windows\System32\hotwdkfg.exe
2008-03-25 12:40   ---------   d-----w   C:\Program Files\CCleaner
2008-03-25 12:16   106,496   ----a-w   C:\Windows\System32\jshalgvu.exe
2008-03-25 01:28   ---------   d-----w   C:\ProgramData\Lavasoft
2008-03-25 01:28   ---------   d-----w   C:\Program Files\Lavasoft
2008-03-24 23:05   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-03-24 15:33   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-03-23 18:10   ---------   d-----w   C:\ProgramData\Microsoft Help
2008-03-22 18:44   ---------   d-----w   C:\Users\Dave's computer\AppData\Roaming\PeerNetworking
2008-03-22 18:16   ---------   d-----w   C:\Program Files\Finale 2006
2008-03-21 18:06   174   --sha-w   C:\Program Files\desktop.ini
2008-03-21 17:59   ---------   d-----w   C:\Program Files\Windows Sidebar
2008-03-21 17:59   ---------   d-----w   C:\Program Files\Windows Mail
2008-03-21 17:59   ---------   d-----w   C:\Program Files\Windows Calendar
2008-03-21 17:26   67,584   ----a-w   C:\Windows\System32\wlanhlp.dll
2008-03-21 17:26   542,720   ----a-w   C:\Windows\System32\sysmain.dll
2008-03-21 17:26   502,784   ----a-w   C:\Windows\System32\wlansvc.dll
2008-03-21 17:26   47,104   ----a-w   C:\Windows\System32\wlanapi.dll
2008-03-21 17:26   299,008   ----a-w   C:\Windows\System32\wlansec.dll
2008-03-21 17:26   289,280   ----a-w   C:\Windows\System32\wlanmsm.dll
2008-03-21 17:26   2,923,520   ----a-w   C:\Windows\explorer.exe
2008-03-21 17:25   194,560   ----a-w   C:\Windows\System32\WebClnt.dll
2008-03-21 17:25   110,080   ----a-w   C:\Windows\system32\drivers\mrxdav.sys
2008-03-21 17:23   613,888   ----a-w   C:\Windows\System32\wpd_ci.dll
2008-03-21 17:23   224,824   ----a-w   C:\Windows\System32\clfs.sys
2008-03-21 17:23   19,456   ----a-w   C:\Windows\System32\cfgmgr32.dll
2008-03-21 17:20   41,984   ----a-w   C:\Windows\system32\drivers\monitor.sys
2008-03-21 17:20   1,060,920   ----a-w   C:\Windows\system32\drivers\ntfs.sys
2008-03-21 17:14   ---------   d-----w   C:\Program Files\Microsoft SQL Server
2008-03-21 17:10   45,112   ----a-w   C:\Windows\system32\drivers\pciidex.sys
2008-03-21 17:10   3,504,696   ----a-w   C:\Windows\System32\ntkrnlpa.exe
2008-03-21 17:10   3,470,392   ----a-w   C:\Windows\System32\ntoskrnl.exe
2008-03-21 17:10   211,000   ----a-w   C:\Windows\system32\drivers\volsnap.sys
2008-03-21 17:10   21,560   ----a-w   C:\Windows\system32\drivers\atapi.sys
2008-03-21 17:10   154,624   ----a-w   C:\Windows\system32\drivers\nwifi.sys
2008-03-21 17:10   15,928   ----a-w   C:\Windows\system32\drivers\pciide.sys
2008-03-21 17:10   109,624   ----a-w   C:\Windows\system32\drivers\ataport.sys

[SuperDave]

2008-03-21 17:10   1,191,936   ----a-w   C:\Windows\System32\msxml3.dll
2008-03-21 17:09   8,704   ----a-w   C:\Windows\System32\hcrstco.dll
2008-03-21 17:09   8,704   ----a-w   C:\Windows\System32\hccoin.dll
2008-03-21 17:09   73,216   ----a-w   C:\Windows\system32\drivers\usbccgp.sys
2008-03-21 17:09   5,888   ----a-w   C:\Windows\system32\drivers\usbd.sys
2008-03-21 17:09   38,400   ----a-w   C:\Windows\system32\drivers\usbehci.sys
2008-03-21 17:09   224,768   ----a-w   C:\Windows\system32\drivers\usbport.sys
2008-03-21 17:09   193,536   ----a-w   C:\Windows\system32\drivers\usbhub.sys
2008-03-21 17:09   19,456   ----a-w   C:\Windows\system32\drivers\usbohci.sys
2008-03-21 17:08   803,328   ----a-w   C:\Windows\system32\drivers\tcpip.sys
2008-03-21 17:08   24,064   ----a-w   C:\Windows\System32\netcfg.exe
2008-03-21 17:08   22,016   ----a-w   C:\Windows\System32\netiougc.exe
2008-03-21 17:08   216,632   ----a-w   C:\Windows\system32\drivers\netio.sys
2008-03-21 17:08   167,424   ----a-w   C:\Windows\System32\tcpipcfg.dll
2008-03-21 17:08   1,327,104   ----a-w   C:\Windows\System32\quartz.dll
2008-03-21 17:07   9,728   ----a-w   C:\Windows\System32\LAPRXY.DLL
2008-03-21 17:07   57,856   ----a-w   C:\Windows\System32\SLUINotify.dll
2008-03-21 17:07   566,784   ----a-w   C:\Windows\System32\SLCommDlg.dll
2008-03-21 17:07   39,936   ----a-w   C:\Windows\System32\slcinst.dll
2008-03-21 17:07   351,232   ----a-w   C:\Windows\System32\SLUI.exe
2008-03-21 17:07   33,280   ----a-w   C:\Windows\System32\slwmi.dll
2008-03-21 17:07   268,288   ----a-w   C:\Windows\System32\mcbuilder.exe
2008-03-21 17:07   223,232   ----a-w   C:\Windows\System32\WMASF.DLL
2008-03-21 17:07   223,232   ----a-w   C:\Windows\System32\SLC.dll
2008-03-21 17:07   2,605,568   ----a-w   C:\Windows\System32\SLsvc.exe
2008-03-21 17:07   186,368   ----a-w   C:\Windows\System32\SLLUA.exe
2008-03-21 17:06   1,335,296   ----a-w   C:\Windows\System32\msxml6.dll
2008-03-21 17:04   84,480   ----a-w   C:\Windows\System32\INETRES.dll
2008-03-21 17:04   737,792   ----a-w   C:\Windows\System32\inetcomm.dll
2008-03-21 17:04   537,600   ----a-w   C:\Windows\AppPatch\AcLayers.dll
2008-03-21 17:04   449,536   ----a-w   C:\Windows\AppPatch\AcSpecfc.dll
2008-03-21 17:04   4,247,552   ----a-w   C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-21 17:04   2,144,256   ----a-w   C:\Windows\AppPatch\AcGenral.dll
2008-03-21 17:04   173,056   ----a-w   C:\Windows\AppPatch\AcXtrnal.dll
2008-03-21 17:04   1,686,528   ----a-w   C:\Windows\System32\gameux.dll
2008-03-21 17:03   11,776   ----a-w   C:\Windows\System32\sbunattend.exe
2008-03-21 17:02   84,992   ----a-w   C:\Windows\system32\drivers\srvnet.sys
2008-03-21 17:02   788,992   ----a-w   C:\Windows\System32\rpcrt4.dll
2008-03-21 17:02   58,368   ----a-w   C:\Windows\system32\drivers\mrxsmb20.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-21 14:03 1232896]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 07:43 430080]
"gaiembcv"="C:\Windows\system32\jshalgvu.exe" [2008-03-25 09:16 106496]
"ngrmrzkm"="C:\Windows\system32\hotwdkfg.exe" [2008-03-25 13:07 98304]
"eucpwsvr"="C:\Windows\system32\lqjsxmde.exe" [2008-03-25 13:52 98304]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-23 15:44 1006264]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 16:35 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 08:26 4702208 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 07:06 40048]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 04:31 102400]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-09 03:23 191552]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 21:01 448080]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 10:50 413696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-24 19:08 107112]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-26 21:18 22696]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroCheck"="C:\Windows\system32\\NeroCheck.exe" [2001-07-09 07:50 155648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[SuperDave]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8926E51C-6B00-4E7A-8451-641DEAFEA33A}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B8711CB7-554C-47ED-BAB2-C92BCDBB4478}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 00:23]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-08-01 14:37]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080325.002\IDSvix86.sys [2008-03-12 08:30]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 17:50]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-08-01 14:39]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-26 01:55]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-06-18 22:03]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 12:36]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 18:11]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2006-10-24 10:40]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 15:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 10:19]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 20:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 00:28:47 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Dave's computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 16:03:50
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??7?B??0?<?X?<<<

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 16:04:24
ComboFix-quarantined-files.txt  2008-03-27 19:04:21
      The system cannot find message text for message number 0x2379 in the message file for Application.
      The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-03-27 06:02:21   --- E O F --- 

[evilfantasy]

Download and install CleanUp!.exe

Don't run it yet

----------

Download HostsXpert

• Unzip HostXpert to your desktop
  
• Open up the HostXpert program.
  
• Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled. 
  
• Click Create Back Up
  
• Then click on Restore Microsoft's Host Files
  
• Close the HostXpert program

.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself as well as run Spybots Immunize and enable all protection in SpywareBlaster.

----------

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Folders to delete:
C:\Users\All Users\mjwvapap

Files to delete:
C:\Windows\system32\lqjsxmde.exe
C:\Windows\system32\hotwdkfg.exe
C:\Windows\system32\jshalgvu.exe
C:\Windows\userconfig9x.dll
C:\Windows\system32winlogonpc.exe
C:\Windows\system32taack.exe
C:\Windows\system32taack.dat
C:\Windows\system32sncntr.exe
C:\Windows\system32mwin32.exe
C:\Windows\system32hoproxy.dll
C:\Windows\FVProtect.exe
C:\Windows\a.bat
C:\Windows\winsystem.exe
C:\Windows\system32WINWGPX.EXE
C:\Windows\system32winsystem.exe
C:\Windows\system32vcatchpi.dll
C:\Windows\system32vbsys2.dll
C:\Windows\system32thun32.dll
C:\Windows\system32thun.dll
C:\Windows\system32temp#01.exe
C:\Windows\system32sysreq.exe
C:\Windows\system32ssvchost.exe
C:\Windows\system32ssvchost.com
C:\Windows\system32ssurf022.dll
C:\Windows\system32Rundl1.exe
C:\Windows\system32regm64.dll
C:\Windows\system32regc64.dll
C:\Windows\system32psoft1.exe
C:\Windows\system32psof1.exe
C:\Windows\system32ps1.exe
C:\Windows\system32newsd32.exe
C:\Windows\system32netode.exe
C:\Windows\system32mtr2.exe
C:\Windows\system32msvchost.exe
C:\Windows\system32mssecu.exe
C:\Windows\system32msnbho.dll
C:\Windows\system32msgp.exe
C:\Windows\system32medup020.dll
C:\Windows\system32medup012.dll
C:\Windows\system32hxiwlgpm.exe
C:\Windows\system32hxiwlgpm.dat
C:\Windows\system32h@tkeysh@@k.dll
C:\Windows\system32emesx.dll
C:\Windows\system32dpcproxy.exe
C:\Windows\system32bsva-egihsg52.exe
C:\Windows\system32bdn.com
C:\Windows\system32awtoolb.dll
C:\Windows\system32anticipator.dll
C:\Windows\system32akttzn.exe
C:\Windows\mssecu.exe
C:\Windows\iTunesMusic.exe
C:\Windows\bdn.com
C:\Users\Dave's computer\Desktopvirii
C:\Users\Dave's computer\DesktopFWebdEditor.exe
C:\Users\Dave's computer\Desktopfwebd.exe
C:\Users\Dave's computer\Desktopfilemanagerclient.exe

Registry keys to delete:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaiembcv

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngrmrzkm

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eucpwsvr

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

.

• Please add the Avenger log in your next post.

.
----------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

----------

Next post please add
Avenger log

[SuperDave]

I received some errors when running avenger but I was able to complete it Here is the log file:


[recovering space - attachment deleted by admin]

[evilfantasy]

We need to try and manually delete a folder.

 To enable the viewing of Hidden files follow these steps:

   1. Close all programs so that you are at your desktop.
   2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
   3. Click on the Control Panel menu option.
   4. When the control panel opens you can either be in Classic View or Control Panel Home view:

      If you are in the Classic View do the following:
         1. Double-click on the Folder Options icon.
         2. Click on the View tab.
         3. Go to step 5.

      If you are in the Control Panel Home view do the following:
         1. Click on the Appearance and Personalization link .
         2. Click on Show Hidden Files or Folders.
         3. Go to step 5.

   5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
   7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   8. Press the Apply button and then the OK button and shutdown My Computer.
   9. Now Windows Vista is configured to show all hidden files.

----------

Now open My Computer from the desktop and locate this folder (in blue) and delete it.

C:\Users\Dave's computer\Desktopvirii

----------

Scan a Suspicious File

Please visit one of the following:
(Multiple sites are given in case one is not working)
(If more than one file needs scanned they must be done separately and logs posted for each one)

• Virustotal
  
• Jotti's malware scan
  
• VirSCAN.org

Copy the file path in the code box below.

Code: [Select]

C:\Users\All Users\mjwvapap

• At the upload site, click once inside the window next to Browse.
  
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
  
• Next click Send File/Submit/Upload (depending on the site)
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

.
----------

Next post let me know how the deletion went and the results of the file scan.

Also let me know how things are now.

[SuperDave]

The deletion of that folder went without a hitch but this is what I got when I sent the file:
0 bytes size received / Se ha recibido un archivo vacio
Besides that there is no more evidence of those annoying pop-ups.
Should I uninstall all those other programs from my computer?

[SuperDave]

I tried another scan site and this is what I received:The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

[evilfantasy]

It may be the UAC blocking it.

Since it is a 0 byte file that means it is empty. I'm pretty sure it is a left over from Vundo so it needs to be deleted as well. Go to C:\Users\All Users\mjwvapap and delete the mjwvapap file/folder. Be sure to empty the recycle bin after deletion.

We will clean up the mess now.

• Click START then RUN
  
• Now type CF /u in the runbox
  
• Make sure there's a space between CF and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
Next go HERE to see how to clear you infected restore points and set a new clean one.

Use the Secunia Software Inspector

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
I have some safety instructions written up that would be a good idea to look at in order to help keep this from happening again.

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Let me know if you have any questions. I still think it would be good to try the Panda scan again. If it won't work let me know and we can use another one instead.

[SuperDave]

I deleted that file with no problem but when I enter that command in Run it says it can't find CF.

[evilfantasy]

Delete it from the desktop, then go to C:\ and look for anything with CF or Combofix in the name and delete them also. There may be one, two total.

[SuperDave]

I deleted CF but I couldn't find ComboFix. There is a folder named Qoobox which has one of quarantined file from ComboFix. I also didn't have any luck with PANDA on-line scan. I'm still getting an empty screen.

[evilfantasy]

Delete Qoobox also. That is the backups from CF and will be flagged as malware by some antivirus so best to get rid of it.

Try this online scanner instead of Panda.

Use the Kaspersky Online Scanner

• Click Accept.
  
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
  
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
  • 
    
    • Extended[/COLOR]
    • Scan Options:
    • 
      
      • Scan Archives[/COLOR]
        
        • Scan Mail Bases[/COLOR]
      • Click OK & have it scan My Computer
      When the scan is done, in the Scan is complete window (below), any infection is displayed.
      There is no option to clean/disinfect, however, we need to analyze the information on the report.
      
      To obtain the report:
      Click on: Save Report As...
      
      
      
      
      • Next, in the Save as prompt, Save in area, select: Desktop.
        
      • In the File name area, use KScan, or something similar.
        
      • In Save as type: click the drop arrow and select: Text file [*.txt]
        
      • Then, click: Save
      
      
      
      Please copy and paste the Kaspersky Online Scanner Report in your next post.
      
      

[SuperDave]

KASPERSKY ONLINE SCANNER REPORT
 Friday, March 28, 2008 4:31:40 PM
 Operating System: Microsoft Windows Vista Home Edition,  (Build 6000)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 28/03/2008
 Kaspersky Anti-Virus database records: 668934
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 73372
   Number of viruses found: 0
   Number of infected objects: 0
   Number of suspicious objects: 0
   Duration of the scan process: 00:49:10

Infected Object Name / Virus Name / Last Action
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log   Object is locked   skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ed80a482b1f410658b28b47ea513b454_62bac37c-8bf7-4a7c-bac5-d89f18910d3e   Object is locked   skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fcd3bcc382783d5142e645b139aa2d65_62bac37c-8bf7-4a7c-bac5-d89f18910d3e   Object is locked   skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat   Object is locked   skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.Crwl   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.ci   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wsb   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy18.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2EC9.tmp   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECA.tmp   Object is locked   skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log   Object is locked   skipped
C:\ProgramData\PC Tools\ThreatFire\Orig.db   Object is locked   skipped
C:\ProgramData\Symantec\Common Client\settings.dat   Object is locked   skipped
C:\ProgramData\Symantec\LiveUpdate\2008-03-28_Log.ALUSchedulerSvc.LiveUpdate   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\1C3D2B79.TMP   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SubEng\submissions.idx   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log   Object is locked   skipped

[SuperDave]

C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat{4459c1d8-f6f1-11dc-9f05-00a0d198404c}.TM.blf   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat{4459c1d8-f6f1-11dc-9f05-00a0d198404c}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat{4459c1d8-f6f1-11dc-9f05-00a0d198404c}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows Defender\FileTracker\{3F52D1D9-A77A-47C5-A4A7-1F847695A4E6}   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows Sidebar\Settings.ini   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Temp\~DF8781.tmp   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Temp\~DF879A.tmp   Object is locked   skipped
C:\Users\Dave's computer\AppData\Roaming\Microsoft\Windows\Cookies\index.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-27-2008( 22-41-1 ).LOG   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT   Object is locked   skipped
C:\Users\Dave's computer\ntuser.dat.LOG1   Object is locked   skipped
C:\Users\Dave's computer\ntuser.dat.LOG2   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\Debug\PASSWD.LOG   Object is locked   skipped
C:\Windows\Debug\sam.log   Object is locked   skipped
C:\Windows\Debug\WIA\wiatrace.log   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\SoftwareDistribution\EventCache\{65751959-0B51-42D4-ABE8-32F0019D64D3}.bin   Object is locked   skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0   Object is locked   skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0   Object is locked   skipped
C:\Windows\System32\catroot2\edb.log   Object is locked   skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb   Object is locked   skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb   Object is locked   skipped
C:\Windows\System32\config\COMPONENTS   Object is locked   skipped
C:\Windows\System32\config\COMPONENTS.LOG1   Object is locked   skipped
C:\Windows\System32\config\COMPONENTS.LOG2   Object is locked   skipped
C:\Windows\System32\config\DEFAULT   Object is locked   skipped
C:\Windows\System32\config\DEFAULT.LOG1   Object is locked   skipped
C:\Windows\System32\config\DEFAULT.LOG2   Object is locked   skipped
C:\Windows\System32\config\RegBack\COMPONENTS   Object is locked   skipped
C:\Windows\System32\config\RegBack\DEFAULT   Object is locked   skipped
C:\Windows\System32\config\RegBack\SAM   Object is locked   skipped
C:\Windows\System32\config\RegBack\SECURITY   Object is locked   skipped
C:\Windows\System32\config\RegBack\SOFTWARE   Object is locked   skipped
C:\Windows\System32\config\RegBack\SYSTEM   Object is locked   skipped
C:\Windows\System32\config\SAM   Object is locked   skipped
C:\Windows\System32\config\SAM.LOG1   Object is locked   skipped
C:\Windows\System32\config\SAM.LOG2   Object is locked   skipped
C:\Windows\System32\config\SECURITY   Object is locked   skipped
C:\Windows\System32\config\SECURITY.LOG1   Object is locked   skipped