Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected and Here's my Hijack Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected and Here's my Hijack Log

Unread postby h20woman » November 10th, 2007, 4:25 pm

My laptop is completely infected. I keep receiving pop-ups claiming I am infected with a variety of viruses including networm-i.virus@fp, spyware.cyberlog-x, and psw.x-virtrojan. Here is my hijack log.
Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:51 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\SYSTEM32\WISPTIS.EXE
C:\WINNT\System32\tabbtnu.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .0.1 zrap.zdnet.com.com #SpySweeperCASS
O1 - Hosts: 0.1 zrap.zdnet.com.com #SpySweeperCASS
O1 - Hosts: mshardware.com #SpySweeperCASS
O1 - Hosts: .0.1 zrap.zdnet.com.com #SpySweeperCASS
O1 - Hosts: 0.1 zrap.zdnet.co
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINNT\system32\nvgflnjr.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\Run: [d80983f0] rundll32.exe "C:\WINNT\system32\lyrfybjv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mmcbase] C:\WINNT\System32\mmcbase.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINNT\System32\196_150_ni.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O4 - HKCU\..\Run: [rwww] C:\PROGRA~1\COMMON~1\rwww\rwwwm.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175636850561
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://imagelab.bestbuy.com/en/ulcontrolxp.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\IA\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UM-St.Louis\VPN Client for Wireless\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINNT\system32\fqavrimb.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: moricons - Unknown owner - C:\WINNT\system32\moricons.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 9799 bytes
h20woman
Active Member
 
Posts: 4
Joined: November 10th, 2007, 4:22 pm
Advertisement
Register to Remove

Unread postby curlylad » November 10th, 2007, 6:02 pm

Hello h20womanand welcome to The Malware Removal Forums.

My name is curlylad and I will be helping you to remove any infection(s) that you may have.

I have to carefully formulate any fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess , simply post back with your query and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


OK, there are a few things we need to do before we can then run a few scans.

1. Move HijackThis and rename it - You currently are running HijackThis from an unsuitable location.

Please make a folder here:
C:\Program Files\HJT
and place HijackThis in that folder.
Now I need you to rename HijackThis.exe.
Locate HijackThis.exe which will be an icon of a plunger and dynamite
Right click the icon and select Rename
Rename it to probe.exe.


2. Network - The header of the HijackThis log shows that the scan was run in Safe mode with network support.
This may suggest that the infected PC could be connected to a network.
If it is please disconnect it from the network and do not re-connect to the network until I have given you the 'all clear'.


3. Safe Mode - I need you to generate any future HijackThis Log for me when the system is in the normal boot mode.
To clarify, whenever I request a new HijackThis Log please post me a log that has been generated when the system is in normal boot mode.


Next we need to run a few logs.

SmitfraudFix

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



VundoFix

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Finally can you post back:-

The SmitfraudFix Log
The VundoFix Log
Also a fresh HijackThis Log that has been run in normal mode.

I will review the information in the logs and provide any further necessary steps as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Thanks

Unread postby h20woman » November 11th, 2007, 2:24 am

Thank you so much for your help. I have to post each of these logs in separate posts because something in my computer is taking ove my memory and I only have enough memory to have one screen/program open at a time.

Here is the smitfraudfix log

SmitFraudFix v2.252

Scan done at 0:19:50.65, Sun 11/11/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\SYSTEM32\WISPTIS.EXE
C:\WINNT\System32\tabbtnu.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UM-St.Louis\VPN Client for Wireless\cvpnd.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\igfxtray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 172.16.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3E555572-436D-431B-948D-9BE3B6DDC8E4}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3E555572-436D-431B-948D-9BE3B6DDC8E4}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3E555572-436D-431B-948D-9BE3B6DDC8E4}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
h20woman
Active Member
 
Posts: 4
Joined: November 10th, 2007, 4:22 pm

The Other Two Logs

Unread postby h20woman » November 11th, 2007, 2:36 am

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 12:25:00 AM 11/11/2007

Listing files found while scanning....

C:\WINNT\system32\nvgflnjr.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\nvgflnjr.dll
C:\WINNT\system32\nvgflnjr.dll Has been deleted!

Performing Repairs to the registry.
Done!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:36 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\SYSTEM32\WISPTIS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\tabbtnu.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UM-St.Louis\VPN Client for Wireless\cvpnd.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\igfxtray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HTJ\probe.exe.exe
C:\WINNT\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .zdnet.com.com SpySweeperCASS
O1 - Hosts: .0.1 zrap.zdnet.com.com #SpySweeperCASS
O1 - Hosts: 0.1 zrap.zdnet.com.com #SpySweeperCASS
O1 - Hosts: mshardware.com #SpySweeperCASS
O1 - Hosts: .0.1 zrap.zdnet.com.com #SpySweeperCASS
O1 - Hosts: 0.1 zrap.zdnet.co
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09EACEB7-A522-413A-9ACA-ABD17685C0EE} - C:\WINNT\system32\mlljj.dll
O2 - BHO: {a37f21a9-66a6-b6aa-c114-fa7197e56172} - {27165e79-17af-411c-aa6b-6a669a12f73a} - C:\WINNT\system32\csvlrocd.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINNT\POPUPW~1.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINNT\system32\SearchEnhancer\nskD.dll (file missing)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINNT\system32\hggghih.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7EAA25D-0209-4F5E-B6C8-8BA21EEA7EC8} - \
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\Run: [d80983f0] rundll32.exe "C:\WINNT\system32\kjclcavc.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mmcbase] C:\WINNT\System32\mmcbase.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINNT\System32\196_150_ni.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O4 - HKCU\..\Run: [rwww] C:\PROGRA~1\COMMON~1\rwww\rwwwm.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5636850561
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://imagelab.bestbuy.com/en/ulcontrolxp.cab
O20 - Winlogon Notify: byvuv - C:\WINNT\system32\byvuv.dll (file missing)
O20 - Winlogon Notify: hggghih - C:\WINNT\SYSTEM32\hggghih.dll
O20 - Winlogon Notify: ljjig - ljjig.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\IA\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UM-St.Louis\VPN Client for Wireless\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINNT\system32\fqavrimb.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: moricons - Unknown owner - C:\WINNT\system32\moricons.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 12844 bytes
h20woman
Active Member
 
Posts: 4
Joined: November 10th, 2007, 4:22 pm

Re: Infected and Here's my Hijack Log

Unread postby curlylad » November 12th, 2007, 3:20 pm

Good Evening h20woman

Here are your next instructions:-

Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I will review the log when you have posted it back and provide further steps as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Infected and Here's my Hijack Log

Unread postby h20woman » November 12th, 2007, 9:50 pm

ComboFix 07-11-08.1 - Administrator 2007-11-12 16:10:19.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINNT\cookies.ini
C:\WINNT\system32\byvus.dll
C:\WINNT\system32\sfrqarjw.dllbox
C:\WINNT\system32\suvyb.bak1
C:\WINNT\system32\suvyb.bak2
C:\WINNT\system32\suvyb.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 18:34 349,272 --a------ C:\Silent Runners.vbs
2007-11-11 17:16 145,984 --a------ C:\WINNT\system32\sfrqarjw.dll
2007-11-11 17:16 145,984 --a------ C:\WINNT\system32\rrxutqbp.dll
2007-11-11 17:13 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-11 00:37 88,128 --a------ C:\WINNT\system32\rvfcfykl.dll
2007-11-11 00:34 79,936 --a------ C:\WINNT\system32\csvlrocd.dll
2007-11-11 00:33 71,232 --a------ C:\WINNT\system32\ppldiykd.exe
2007-11-11 00:24 <DIR> d-------- C:\VundoFix Backups
2007-11-11 00:23 79,936 --a------ C:\WINNT\system32\rdygvbid.dll
2007-11-11 00:19 71,232 --a------ C:\WINNT\system32\lolmhjai.exe
2007-11-11 00:18 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2007-11-11 00:18 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-11-11 00:18 53,248 --a------ C:\WINNT\system32\Process.exe
2007-11-11 00:18 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-11-11 00:18 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2007-11-11 00:01 3,736 --a------ C:\WINNT\system32\tmp.reg
2007-11-10 17:47 <DIR> d-------- C:\Program Files\HTJ
2007-11-10 17:23 81,472 --a------ C:\WINNT\system32\bsfyeuli.dll
2007-11-10 17:20 85,056 --a------ C:\WINNT\system32\kjclcavc.dll
2007-11-10 17:20 71,232 --a------ C:\WINNT\system32\bkxuvcpk.exe
2007-11-10 15:01 81,472 --a------ C:\WINNT\system32\hmiqoedo.dll
2007-11-10 15:00 71,232 --a------ C:\WINNT\system32\rhtnftbt.exe
2007-11-10 13:57 81,472 --a------ C:\WINNT\system32\xalbahye.dll
2007-11-10 13:51 71,232 --a------ C:\WINNT\system32\cwntlufv.exe
2007-11-10 12:31 85,056 --a------ C:\WINNT\system32\kevjhslv.dll
2007-11-10 12:28 81,472 --a------ C:\WINNT\system32\vipgxgvu.dll
2007-11-10 12:26 71,232 --a------ C:\WINNT\system32\bslnrdxo.exe
2007-11-10 02:09 85,056 --a------ C:\WINNT\system32\lyrfybjv.dll
2007-11-10 02:01 81,472 --a------ C:\WINNT\system32\qpnqhpef.dll
2007-11-10 01:56 85,056 --a------ C:\WINNT\system32\gtjumvgk.dll
2007-11-10 01:56 71,232 --a------ C:\WINNT\system32\sklxfgtn.exe
2007-11-10 01:50 71,232 --a------ C:\WINNT\system32\wfgvwvql.exe
2007-11-09 11:53 <DIR> d-------- C:\WINNT\system32\CatRoot2
2007-11-09 11:53 <DIR> d-------- C:\WINNT\system32\CatRoot
2007-11-09 10:59 88,128 --a------ C:\WINNT\system32\sjgeppnx.dll
2007-11-09 10:56 77,888 --a------ C:\WINNT\system32\igstudln.dll
2007-11-09 10:53 71,232 --a------ C:\WINNT\system32\ihtjbngb.exe
2007-11-09 00:00 24,064 --a------ C:\WINNT\system32\msxml3a.dll
2007-11-08 23:48 77,888 --a------ C:\WINNT\system32\bscqvgwu.dll
2007-11-08 23:44 71,232 --a------ C:\WINNT\system32\qjgedlyl.exe
2007-11-08 23:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-08 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-08 23:15 10,872 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-11-08 22:53 80,448 --a------ C:\WINNT\system32\jibfqntd.dll
2007-11-08 22:50 86,080 --a------ C:\WINNT\system32\atgfuceu.dll
2007-11-08 22:50 71,232 --a------ C:\WINNT\system32\xmqrnawi.exe
2007-11-08 22:09 86,080 --a------ C:\WINNT\system32\qcxkhtxh.dll
2007-11-08 18:40 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-08 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-08 00:24 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-11-06 22:20 28,672 --a------ C:\WINNT\system32\drivers\CO_Mon.sys
2007-11-06 16:25 <DIR> d-------- C:\WINNT\rwww
2007-11-06 14:26 20,480 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb2875.dat
2007-11-06 14:26 13,046 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb6784.dat
2007-11-06 14:26 522 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb8665.dat
2007-11-06 14:26 378 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb1942.dat
2007-11-06 14:26 0 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb8255.dat
2007-11-06 14:26 0 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb5454.dat
2007-11-06 14:26 0 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb2491.dat
2007-11-06 14:26 0 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb2278.dat
2007-11-06 14:26 0 --a------ C:\Documents and Settings\LocalService\Application Data\internaldb1353.dat
2007-11-05 22:09 <DIR> d-------- C:\temp\mZOr
2007-11-05 22:09 36,352 --a------ C:\WINNT\system32\hggghih.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 05:34 --------- d-----w C:\Program Files\Symantec
2007-11-12 05:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-12 03:51 --------- d-----w C:\Program Files\Webroot
2007-11-12 03:45 --------- d-----w C:\Program Files\MySpace
2007-11-12 03:29 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-12 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-10 22:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2007-11-10 09:36 --------- d-----w C:\Program Files\Windows Journal
2007-11-07 08:47 --------- d-----w C:\Program Files\QuickTime
2007-11-07 08:14 --------- d-----w C:\Program Files\iTunes
2007-11-07 08:08 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-10-02 02:01 128,648 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-23 17:56 --------- d-----w C:\Program Files\MSECache
2007-08-24 03:46 1,522 ----a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2007-08-22 13:12 96,256 ------w C:\WINNT\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINNT\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINNT\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINNT\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINNT\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINNT\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINNT\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINNT\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINNT\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINNT\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINNT\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINNT\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINNT\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINNT\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINNT\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINNT\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINNT\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINNT\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINNT\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINNT\system32\dllcache\inetcomm.dll
2007-01-30 04:39 49 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb41.dat
2007-01-23 22:46 9,216 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb8467.dat
2007-01-23 22:46 382 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb1942.dat
2007-01-23 22:46 20,480 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb4827.dat
2007-01-23 22:46 151 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb292.dat
2007-01-23 22:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb6334.dat
2007-01-23 22:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb5436.dat
2007-01-23 22:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb4604.dat
2007-01-23 22:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb3902.dat
2007-01-23 22:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb2391.dat
2007-01-23 22:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb153.dat
2004-12-04 04:45 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-12-09 03:42:07 346,232 --sha-w C:\WINNT\system32\gfeeg.bak1
2005-12-10 11:03:15 370,760 --sha-w C:\WINNT\system32\gfeeg.bak2
2005-12-11 04:26:00 347,416 --sha-w C:\WINNT\system32\gfeeg.ini2
2005-11-27 19:52:50 539,321 --sha-w C:\WINNT\system32\vuvyb.bak1
2005-11-28 20:01:41 538,681 --sha-w C:\WINNT\system32\vuvyb.bak2
2005-11-28 20:10:07 538,316 --sha-w C:\WINNT\system32\vuvyb.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27165e79-17af-411c-aa6b-6a669a12f73a}]
2007-11-11 00:34 79936 --a------ C:\WINNT\system32\csvlrocd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-05 22:09 36352 --a------ C:\WINNT\system32\hggghih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-11 17:16 145984 --a------ C:\WINNT\system32\sfrqarjw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7EAA25D-0209-4F5E-B6C8-8BA21EEA7EC8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINNT\system32\sfrqarjw.dll [2007-11-11 17:16 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2004-08-04 01:56]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2003-07-10 02:25]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2003-07-10 02:13]
"AGRSMMSG"="AGRSMMSG.exe" [2003-08-29 09:44 C:\WINNT\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-30 15:16]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-30 15:16]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 01:36]
"Gateway Ink Monitor"="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 11:23]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"TabletWizard"="C:\WINNT\help\SplshWrp.exe" [2004-08-04 01:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-06 11:58]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"d80983f0"="C:\WINNT\system32\rvfcfykl.dll" [2007-11-11 00:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"mmcbase"="C:\WINNT\System32\mmcbase.exe" []
"196_150_ni"="C:\WINNT\System32\196_150_ni.exe" []
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-05-17 05:05]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" []
"rwww"="C:\PROGRA~1\COMMON~1\rwww\rwwwm.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINNT\system32\hggghih.dll [2007-11-05 22:09 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byvuv]
C:\WINNT\system32\byvuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghih]
hggghih.dll 2007-11-05 22:09 36352 C:\WINNT\system32\hggghih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjig]
ljjig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 01:56 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINNT\System32\LgNotify.dll 2003-12-16 15:49 110592 c:\WINNT\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sfrqarjw]
sfrqarjw.dll 2007-11-11 17:16 145984 C:\WINNT\system32\sfrqarjw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 02:41 11776 C:\WINNT\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2004-08-04 01:56 30208 C:\WINNT\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\iifcd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\df_kmd.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 19:49:02 C:\WINNT\Tasks\HP Usg Daily FY04.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 16:40:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\iifcd.dll 313440 bytes executable
C:\WINNT\system32\dcfii.ini 317 bytes
C:\WINNT\system32\dcfii.ini2 317 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
Completion time: 2007-11-12 16:54:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 18:30
.
--- E O F ---
h20woman
Active Member
 
Posts: 4
Joined: November 10th, 2007, 4:22 pm

Re: Infected and Here's my Hijack Log

Unread postby curlylad » November 13th, 2007, 5:10 pm

Good Evening h20woman

Here's your next set of instructions:-

HIJACKTHIS
  • Open HijackThis
  • Click the button Do a system scan only
  • Place a tick or check mark next to the following entries

    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .zdnet.com.com SpySweeperCASS
    O1 - Hosts: .0.1 zrap.zdnet.com.com #SpySweeperCASS
    O1 - Hosts: 0.1 zrap.zdnet.com.com #SpySweeperCASS
    O1 - Hosts: mshardware.com #SpySweeperCASS
    O1 - Hosts: .0.1 zrap.zdnet.com.com #SpySweeperCASS
    O1 - Hosts: 0.1 zrap.zdnet.co
    O2 - BHO: (no name) - {09EACEB7-A522-413A-9ACA-ABD17685C0EE} - C:\WINNT\system32\mlljj.dll
    O2 - BHO: {a37f21a9-66a6-b6aa-c114-fa7197e56172} - {27165e79-17af-411c-aa6b-6a669a12f73a} - C:\WINNT\system32\csvlrocd.dll
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINNT\system32\SearchEnhancer\nskD.dll (file missing)
    O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINNT\system32\hggghih.dll
    O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
    O2 - BHO: (no name) - {D7EAA25D-0209-4F5E-B6C8-8BA21EEA7EC8} - \
    O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
    O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
    O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
    O4 - HKLM\..\Run: [d80983f0] rundll32.exe "C:\WINNT\system32\kjclcavc.dll",b
    O4 - HKCU\..\Run: [mmcbase] C:\WINNT\System32\mmcbase.exe
    O4 - HKCU\..\Run: [196_150_ni] C:\WINNT\System32\196_150_ni.exe
    O4 - HKCU\..\Run: [rwww] C:\PROGRA~1\COMMON~1\rwww\rwwwm.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O20 - Winlogon Notify: byvuv - C:\WINNT\system32\byvuv.dll (file missing)
    O20 - Winlogon Notify: hggghih - C:\WINNT\SYSTEM32\hggghih.dll
    O20 - Winlogon Notify: ljjig - ljjig.dll (file missing)
    O23 - Service: DomainService - Unknown owner - C:\WINNT\system32\fqavrimb.exe (file missing)
    O23 - Service: moricons - Unknown owner - C:\WINNT\system32\moricons.exe (file missing)

  • Now click the Fix Checked button
  • Close HijackThis.




CFSCRIPT

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

    Folder::
    C:\WINNT\rwww

    File::
    C:\WINNT\system32\sfrqarjw.dll
    C:\WINNT\system32\rrxutqbp.dll
    C:\WINNT\system32\rvfcfykl.dll
    C:\WINNT\system32\csvlrocd.dll
    C:\WINNT\system32\ppldiykd.exe
    C:\WINNT\system32\rdygvbid.dll
    C:\WINNT\system32\lolmhjai.exe
    C:\WINNT\system32\bsfyeuli.dll
    C:\WINNT\system32\kjclcavc.dll
    C:\WINNT\system32\bkxuvcpk.exe
    C:\WINNT\system32\hmiqoedo.dll
    C:\WINNT\system32\rhtnftbt.exe
    C:\WINNT\system32\xalbahye.dll
    C:\WINNT\system32\cwntlufv.exe
    C:\WINNT\system32\kevjhslv.dll
    C:\WINNT\system32\vipgxgvu.dll
    C:\WINNT\system32\bslnrdxo.exe
    C:\WINNT\system32\lyrfybjv.dll
    C:\WINNT\system32\qpnqhpef.dll
    C:\WINNT\system32\gtjumvgk.dll
    C:\WINNT\system32\sklxfgtn.exe
    C:\WINNT\system32\wfgvwvql.exe
    C:\WINNT\system32\sjgeppnx.dll
    C:\WINNT\system32\igstudln.dll
    C:\WINNT\system32\ihtjbngb.exe
    C:\WINNT\system32\bscqvgwu.dll
    C:\WINNT\system32\qjgedlyl.exe
    C:\WINNT\system32\jibfqntd.dll
    C:\WINNT\system32\atgfuceu.dll
    C:\WINNT\system32\xmqrnawi.exe
    C:\WINNT\system32\qcxkhtxh.dll
    C:\WINNT\system32\hggghih.dll
    C:\WINNT\system32\gfeeg.bak1
    C:\WINNT\system32\gfeeg.bak2
    C:\WINNT\system32\gfeeg.ini2
    C:\WINNT\system32\vuvyb.bak1
    C:\WINNT\system32\vuvyb.bak2
    C:\WINNT\system32\vuvyb.ini2
    C:\WINNT\System32\mmcbase.exe
    C:\WINNT\System32\196_150_ni.exe
    C:\WINNT\system32\byvuv.dll
    C:\WINNT\system32\tabbtnwl.dll
    C:\WINNT\system32\tpgwlnot.dll
    C:\WINNT\system32\iifcd.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27165e79-17af-411c-aa6b-6a669a12f73a}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7EAA25D-0209-4F5E-B6C8-8BA21EEA7EC8}]
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byvuv]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjig]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sfrqarjw]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please post the new ComboFix log in your next reply.

Please now re-boot your system before moving on to the next step



HIJACKTHIS LOG AND UNINSTALL LIST
  • Open HijackThis
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save List...
  • Save the list to your Desktop
  • Under Other Stuff click the Back button
  • Now click the Scan button
  • Click the Save Log button, save it to your Desktop
  • Close HijackThis.


REPORT BACK
  • I now need you to post back the ComboFix Log
  • The Uninstall List
  • And a fresh HijackThis Log.

I will review the new information and provide any further necessary steps as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Infected and Here's my Hijack Log

Unread postby 'KotaGuy » December 14th, 2007, 9:50 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 558 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware