Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win poly 32

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win poly 32

Unread postby lynjeff22 » August 30th, 2007, 10:48 am

This is my first time with a discussion board etc. Could someone please look at this and advise? I am copying a trend micro hijack this thingy.

Thanks jeff
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:12 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\help\msiexec.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\a.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {6E1F621E-0FB3-48A6-B08B-212764E017AA} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {968E7429-7A62-402C-8F39-2960AC55070B} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B31171A7-F534-42A1-A21E-37D7F1718367} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [vblyjwdoxztc] C:\WINDOWS\system32\vblyjwdoxztc.exe
O4 - HKLM\..\Run: [h] C:\WINDOWS\system32\h.exe
O4 - HKLM\..\Run: [nnpebthq] C:\WINDOWS\system32\nnpebthq.exe
O4 - HKLM\..\Run: [uecukynqg] C:\WINDOWS\system32\uecukynqg.exe
O4 - HKLM\..\Run: [scqfalqwe] C:\WINDOWS\system32\scqfalqwe.exe
O4 - HKLM\..\Run: [hvfnjq] C:\WINDOWS\system32\hvfnjq.exe
O4 - HKLM\..\Run: [a] C:\WINDOWS\system32\a.exe
O4 - HKLM\..\Run: [fwjtrpfrs] C:\WINDOWS\system32\fwjtrpfrs.exe
O4 - HKLM\..\Run: [qgqohtnzsy] C:\WINDOWS\system32\qgqohtnzsy.exe
O4 - HKLM\..\Run: [weypasf] C:\WINDOWS\system32\weypasf.exe
O4 - HKLM\..\Run: [zuyoaohofc] C:\WINDOWS\system32\zuyoaohofc.exe
O4 - HKLM\..\Run: [yazdgaft] C:\WINDOWS\system32\yazdgaft.exe
O4 - HKLM\..\Run: [gzc] C:\WINDOWS\system32\gzc.exe
O4 - HKLM\..\Run: [okhugzbsuxj] C:\WINDOWS\system32\okhugzbsuxj.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [pdngziyvj] C:\WINDOWS\system32\pdngziyvj.exe
O4 - HKLM\..\Run: [ixrtgug] C:\WINDOWS\system32\ixrtgug.exe
O4 - HKLM\..\Run: [luw] C:\WINDOWS\system32\luw.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [vblyjwdoxztc] C:\WINDOWS\system32\vblyjwdoxztc.exe
O4 - HKLM\..\RunServices: [h] C:\WINDOWS\system32\h.exe
O4 - HKLM\..\RunServices: [nnpebthq] C:\WINDOWS\system32\nnpebthq.exe
O4 - HKLM\..\RunServices: [uecukynqg] C:\WINDOWS\system32\uecukynqg.exe
O4 - HKLM\..\RunServices: [scqfalqwe] C:\WINDOWS\system32\scqfalqwe.exe
O4 - HKLM\..\RunServices: [hvfnjq] C:\WINDOWS\system32\hvfnjq.exe
O4 - HKLM\..\RunServices: [a] C:\WINDOWS\system32\a.exe
O4 - HKLM\..\RunServices: [fwjtrpfrs] C:\WINDOWS\system32\fwjtrpfrs.exe
O4 - HKLM\..\RunServices: [qgqohtnzsy] C:\WINDOWS\system32\qgqohtnzsy.exe
O4 - HKLM\..\RunServices: [weypasf] C:\WINDOWS\system32\weypasf.exe
O4 - HKLM\..\RunServices: [zuyoaohofc] C:\WINDOWS\system32\zuyoaohofc.exe
O4 - HKLM\..\RunServices: [yazdgaft] C:\WINDOWS\system32\yazdgaft.exe
O4 - HKLM\..\RunServices: [gzc] C:\WINDOWS\system32\gzc.exe
O4 - HKLM\..\RunServices: [okhugzbsuxj] C:\WINDOWS\system32\okhugzbsuxj.exe
O4 - HKLM\..\RunServices: [pdngziyvj] C:\WINDOWS\system32\pdngziyvj.exe
O4 - HKLM\..\RunServices: [ixrtgug] C:\WINDOWS\system32\ixrtgug.exe
O4 - HKLM\..\RunServices: [luw] C:\WINDOWS\system32\luw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe" (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe" (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe" (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe" (User 'Sawyer')
O4 - HKUS\S-1-5-21-1801674531-412668190-2147266873-1006\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Sawyer')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff\Start Menu\Programs\imvu\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 1232133247
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1232119231
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logical Bus Drive (LogBusDrv) - Unknown owner - C:\WINDOWS\system32\lsmvc.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WINDOWS MSI Installer Application (Win_MSI-Installer) - Unknown owner - C:\WINDOWS\help\msiexec.exe
O23 - Service: Print Spooler Service (wuea5djue) - Unknown owner - C:\WINDOWS\system32\luw.exe

--
End of file - 12155 bytes
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am
Advertisement
Register to Remove

Unread postby Kairis » August 30th, 2007, 11:20 am

Hello lynjeff22 and welcome to forum
My name is drill and I will be helping you to remove any infection(s) that you may have.
I have to let experts check the content of my fixes before I post them so be patient.
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

Unread postby Kairis » August 30th, 2007, 12:37 pm

Hello lynfeff22, I have some bad news for you. Your computer is infected with a backdoor. Backdoors can allow others control of your computer, log your keystrokes, steal your personal information, and seriously reduce the computer security.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and re-installation of the operating system. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will do my best, but I can't promise anything.

Regardless of your choice you are strongly advised to do the following:

* Disconnect the computer from the Internet and from any networked computers until it is cleaned.
* Back up all your important data except programs. Programs can be reinstalled from the original disc or can be re-download from the Internet.
* Call all your banks, financial institutions or credit card companies and inform them that you may be a victim of identity theft and request they put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
* From a clean computer, change all your passwords (email, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online accounts which require a user name and password).
Let me know what you choose to do and I'll help where I can.
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

looking for info

Unread postby lynjeff22 » September 10th, 2007, 8:24 pm

What is the status of my request. Is there something i should do? Let me know.

Jeff
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am

Unread postby Kairis » September 12th, 2007, 10:39 am

Hi.
Sorry for the delay..
Download and run SDFix
Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Download ComboFix from Here or Here to your Desktop.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
== Check on status ==
After you have completed the above, please provide:
* the SDFix Report.txt
* Combofix report
* new HijackThis log
* description of any problems you are having with your PC
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

thanks for response

Unread postby lynjeff22 » September 20th, 2007, 6:32 pm

I am unable to open your link for the sdfix. Please advise

Jeff
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am

Unread postby Kairis » September 21st, 2007, 2:18 am

User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

Unread postby lynjeff22 » September 21st, 2007, 7:22 pm

when i click on the link a box comes up which says I am about to download SDFix.exe which is an application. do you want to save file? The only option I get is cancel. I don't get an option that says save or okay or anything like that.

Jeff
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am

Unread postby Kairis » September 22nd, 2007, 2:36 am

Do you use Firefox? Sometimes you have to wait few seconds before "Save" option becomes active. So, wait a while, and it will become active ;)
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

sdfix

Unread postby lynjeff22 » September 22nd, 2007, 10:32 am

Here goes, I will copy and paste text file from sdfix below

SDFix: Version 1.106

Run by Jeff on Sat 09/22/2007 at 09:02 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Jeff\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
wuea5djue

ImagePath:
C:\WINDOWS\system32\okhugzbsuxj.exe /service

wuea5djue - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CKDX.EXE - Deleted
C:\WINDOWS\SYSTEM32\FMINZM~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\HDPJKUEO.EXE - Deleted
C:\WINDOWS\SYSTEM32\I.EXE - Deleted
C:\WINDOWS\SYSTEM32\NSCHJYM.EXE - Deleted
C:\WINDOWS\SYSTEM32\VOWA.EXE - Deleted
C:\WINDOWS\SYSTEM32\YZSSOS~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\EUHVFQ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FLAEPT~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FOTQZZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FQKC.EXE - Deleted
C:\WINDOWS\SYSTEM32\GGALIE~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GXSKJI~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\IBYMF.EXE - Deleted
C:\WINDOWS\SYSTEM32\IYXDEW.EXE - Deleted
C:\WINDOWS\SYSTEM32\LMYMV.EXE - Deleted
C:\WINDOWS\SYSTEM32\LZYZWHHP.EXE - Deleted
C:\WINDOWS\SYSTEM32\MZN.EXE - Deleted
C:\WINDOWS\SYSTEM32\NVBHNR~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PZRFNAS.EXE - Deleted
C:\WINDOWS\SYSTEM32\QER.EXE - Deleted
C:\WINDOWS\SYSTEM32\SBHIZVVQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\SNXGBA.EXE - Deleted
C:\WINDOWS\SYSTEM32\UKE.EXE - Deleted
C:\WINDOWS\SYSTEM32\UXZHZG.EXE - Deleted
C:\WINDOWS\SYSTEM32\WLDKGP~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FBMPUC~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\QGQOHT~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\HVFNJQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\NOMXNO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\UECUKY~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\XGSN.EXE - Deleted
C:\WINDOWS\SYSTEM32\FXESIJ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ONGKHO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\BAALRD~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\J.EXE - Deleted
C:\WINDOWS\SYSTEM32\GXWFRH~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KU.EXE - Deleted
C:\WINDOWS\SYSTEM32\MKTPPU~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PEDNAP~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PGVOJV~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FWJTRP~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\NNPEBTHQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\LUW.EXE - Deleted
C:\WINDOWS\SYSTEM32\WDGD.EXE - Deleted
C:\WINDOWS\SYSTEM32\DDL.EXE - Deleted
C:\WINDOWS\SYSTEM32\FJZCXG~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KARBFL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\LQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\QMHMSF~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SZFPT.EXE - Deleted
C:\WINDOWS\SYSTEM32\A.EXE - Deleted
C:\WINDOWS\SYSTEM32\OHIPVA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\IQRBHC~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SCQFAL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\H.EXE - Deleted
C:\WINDOWS\SYSTEM32\QMCTA.EXE - Deleted
C:\WINDOWS\SYSTEM32\GZC.EXE - Deleted
C:\WINDOWS\SYSTEM32\OKHUGZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\T.EXE - Deleted
C:\WINDOWS\SYSTEM32\WEYPASF.EXE - Deleted
C:\WINDOWS\SYSTEM32\XK.EXE - Deleted
C:\WINDOWS\SYSTEM32\CNPPHR.EXE - Deleted
C:\WINDOWS\SYSTEM32\FTDYQZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\IVPBSM~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\NLX.EXE - Deleted
C:\WINDOWS\SYSTEM32\OSU.EXE - Deleted
C:\WINDOWS\SYSTEM32\PDNGZI~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\V.EXE - Deleted
C:\WINDOWS\SYSTEM32\VBLYJW~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WJVNCK~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\IXRTGUG.EXE - Deleted
C:\WINDOWS\Temp\cjnr4r41FA4A75C.tmp - Deleted
C:\WINDOWS\Temp\cjnr4r41FA4A75D.tmp - Deleted
C:\DOCUME~1\Jeff\LOCALS~1\Temp\hdsC1.tmp - Deleted
C:\aolsoftware.exe - Deleted
C:\WINDOWS\system32\i.exe - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"F:\\BitTornado\\btdownloadgui.exe"="F:\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"F:\\CS\\SteamApps\\budmiah\\counter-strike\\hl.exe"="F:\\CS\\SteamApps\\budmiah\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"F:\\CS\\SteamApps\\budmiah\\condition zero\\hl.exe"="F:\\CS\\SteamApps\\budmiah\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Program Files\\Common Files\\AOL\\1153957564\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1153957564\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\WinAntiVirus Pro 2007\\AVupd.exe"="C:\\Program Files\\WinAntiVirus Pro 2007\\AVupd.exe:*:Enabled:avupd.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Program Files\\TurboTax\\Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\system32\\nsmss.exe"="C:\\system32\\nsmss.exe:*:Enabled:Microsoft (R) Windows Network Service Monitor"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1153957564\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1153957564\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\Jeff\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\quarantine\ekmxxuxd.dll.Vir
C:\Documents and Settings\Jeff\Application Data\U3\temp\Launchpad Removal.exe
C:\system32\nsmss.exe
C:\WINDOWS\Help\msiexec.exe
C:\WINDOWS\system32\wkssvc.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Jeff\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__CD-ROM_SC-148C___B105_300_DICV018_DRGV2050102.TMP
C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp
C:\WINDOWS\system32\ppqss.tmp

Finished!
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am

Unread postby Kairis » September 22nd, 2007, 10:52 am

Download ComboFix from Here or Here to your Desktop.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

== Check on status ==
After you have completed the above, please provide:

* Combofix report
* new HijackThis log
* description of any problems you are having with your PC
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

unable to open combofix

Unread postby lynjeff22 » September 22nd, 2007, 10:56 am

Hello

I do use firefox. I was able to do the sdfix, but an unable to do the combofix.exe for the reason stated above. I tried a couple of times and waited a few minutes each time. Please advise.

Jeff
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am

Unread postby Kairis » September 22nd, 2007, 11:27 am

User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland

combofix

Unread postby lynjeff22 » September 22nd, 2007, 4:11 pm

Here is the combofix report
ComboFix 07-09-21.2 - "Jeff" 2007-09-22 14:24:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.271 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Guest\Desktop\internet.lnk
C:\DOCUME~1\Jeff\APPLIC~1\DriveCleaner 2006 Free
C:\DOCUME~1\Jeff\APPLIC~1\DriveCleaner 2006 Free\Logs\update.log
C:\DOCUME~1\Jeff\err.log
C:\DOCUME~1\JJ\APPLIC~1\DriveCleaner 2006 Free
C:\DOCUME~1\JJ\APPLIC~1\DriveCleaner 2006 Free\Logs\update.log
C:\DOCUME~1\JJ\APPLIC~1\searchtoolbarcorp
C:\DOCUME~1\JJ\APPLIC~1\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\DOCUME~1\JJ\APPLIC~1\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\DOCUME~1\JJ\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\JJ\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\JJ\err.log
C:\DOCUME~1\Lyn\err.log
C:\DOCUME~1\Sawyer\APPLIC~1\DriveCleaner 2006 Free
C:\DOCUME~1\Sawyer\APPLIC~1\DriveCleaner 2006 Free\Logs\update.log
C:\DOCUME~1\Sawyer\APPLIC~1\SystemDoctor 2006 Free
C:\DOCUME~1\Sawyer\APPLIC~1\SystemDoctor 2006 Free\Logs\update.log
C:\DOCUME~1\Sawyer\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\Sawyer\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\Sawyer\Desktop\internet.lnk
C:\DOCUME~1\Sawyer\err.log
C:\DOCUME~1\Tanner\APPLIC~1\DriveCleaner 2006 Free
C:\DOCUME~1\Tanner\APPLIC~1\DriveCleaner 2006 Free\Logs\update.log
C:\DOCUME~1\Tanner\APPLIC~1\macromedia\Flash Player\#SharedObjects\VLQ2GLPC\www.broadcaster.com
C:\DOCUME~1\Tanner\APPLIC~1\macromedia\Flash Player\#SharedObjects\VLQ2GLPC\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Tanner\APPLIC~1\macromedia\Flash Player\#SharedObjects\VLQ2GLPC\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Tanner\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Tanner\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Tanner\Desktop\internet.lnk
C:\DOCUME~1\Tanner\err.log
C:\WA6P
C:\WA7P
C:\WINDOWS\DOWNLO~1.\Temp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_NPF
-------\LEGACY_NTTF
-------\LEGACY_NWSAPAGENT
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK


((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 14:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 09:00 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-18 18:51 51,200 -r-hs---- C:\WINDOWS\system32\wkssvc.exe
2007-09-17 17:15 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\U3
2007-09-17 01:28 <DIR> d--h----- C:\system32
2007-09-16 19:22 49,411 --a------ C:\prx.exe
2007-09-06 21:19 <DIR> d-------- C:\.jagex_cache_32
2007-08-31 13:11 <DIR> d-------- C:\WINDOWS\5DF3D1BB894E4DCD8275159AC9829B43.TMP
2007-08-31 09:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\.housecall6.6
2007-08-31 08:50 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 20:36 --------- d-------- C:\Program Files\MSN Messenger
2007-09-15 06:18 --------- d-------- C:\DOCUME~1\JJ\APPLIC~1\tunebite
2007-09-03 12:45 --------- d-------- C:\DOCUME~1\Jeff\APPLIC~1\Spyzooka
2007-08-27 21:15 --------- d-------- C:\Program Files\The Odyssey Online Classic
2007-08-26 17:59 --------- d-------- C:\DOCUME~1\Jeff\APPLIC~1\Apple Computer
2007-08-22 16:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-19 19:15 --------- d-------- C:\Program Files\AIM
2007-08-19 19:15 --------- d-------- C:\DOCUME~1\Jeff\APPLIC~1\Aim
2007-08-19 19:14 --------- d-------- C:\Program Files\AOD
2007-08-16 02:59 29745 --a------ C:\booterhelp.exe
2007-08-15 17:06 --------- d-------- C:\Program Files\iTunes
2007-08-15 17:06 --------- d-------- C:\Program Files\iPod
2007-08-14 21:19 --------- d-------- C:\Program Files\Maxis
2007-08-14 01:48 89088 --a------ C:\upload2.exe
2007-08-14 01:43 89088 --a------ C:\uploadx.exe
2007-08-02 11:01 --------- d-------- C:\Program Files\SpyZooka
2007-07-27 15:20 --------- d-------- C:\Program Files\DIFX
2005-11-05 19:07 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-05-31 22:36:06 89,600 --sh--r C:\WINDOWS\Help\msiexec.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 12:06]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"Microsoft (R) Windows Network Service Monitor"="C:\system32\nsmss.exe" [2007-09-17 01:28]
"Microsoft Spooler"="wkssvc.exe" [2007-09-18 18:51 C:\WINDOWS\system32\wkssvc.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"h"=C:\WINDOWS\system32\h.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= C:\PROGRA~1\SpyZooka\spyguard.dll [2005-05-07 23:25 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\system32\nsmss.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\system32\nsmss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 Win_MSI-Installer;WINDOWS MSI Installer Application;"C:\WINDOWS\help\msiexec.exe"
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 LogBusDrv;Logical Bus Drive;"C:\WINDOWS\system32\lsmvc.exe"
S2 nsmss;Windows Network Service Monitor;C:\system32\nsmss.exe
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 15:32:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 15:01:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 15:02:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-22 15:02
.
--- E O F ---
lynjeff22
Active Member
 
Posts: 12
Joined: August 30th, 2007, 10:42 am

Unread postby Kairis » September 24th, 2007, 1:56 am

Step#1
Check that Combofix.exe is on your Desktop
Then open Notepad: press Start->Run, type notepad and click OK
Copy/paste the contents of the below code box into Notepad:

Code: Select all
File:: 

C:\WINDOWS\system32\h.exe
C:\prx.exe 
C:\WINDOWS\system32\wkssvc.exe

DirLook:: 

C:\system32


Save this to your Desktop as CFScript.txt
Image
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Note: Do not click ComboFix's window while it's running - it may cause it to stall!
Once complete, please post the new ComboFix report and a new HijackThis log.

Step#2
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\booterhelp.exe

Now click on the send to submit the file for scanning, it will now be scanned by multiple scanning tools,
once scanning is complete you will be able to see the outcome of the results -
Make same thing these, one by one:
C:\upload2.exe
C:\uploadx.exe

Please copy and paste these results back to me once the scan is complete and fresh HijackThis log, thanks.


If Jotti is busy, try the same at Virustotal
User avatar
Kairis
Regular Member
 
Posts: 524
Joined: September 15th, 2006, 1:45 pm
Location: Southern Finland
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware