Solved: slooooow computer :(

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Captain Planet

Thread Starter
Joined
Sep 28, 2008
Messages
6
I was attacked by some trojans the other day and hopefully I got rid of all of their remnants, but I'm not sure if I'm clean or not. My websites used to be redirected and each webpage was doubled on the screen, but that seems to have healed overnight. (??) Is my HijackThis logfile clean?

Logfile of HijackThis v1.99.1
Scan saved at 6:55:02 PM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DOCUME~1\TRACIF~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM376968b1] Rundll32.exe "C:\WINDOWS\system32\ookyajjb.dll",s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks so much!
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi Welcome to TSG!!


Visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 

Captain Planet

Thread Starter
Joined
Sep 28, 2008
Messages
6
I already went through the combofix process and it won't let me do it again (I was using the wrong windows recovery). I'm trying to find my old combofix log (I'm pretty sure I saved it). Is there anything else I could do?
 

Captain Planet

Thread Starter
Joined
Sep 28, 2008
Messages
6
OLD COMBOFIX

ComboFix 08-09-27.06 - Traci Fitzharris 2008-09-28 18:21:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.194 [GMT -7:00]
Running from: C:\Documents and Settings\Traci Fitzharris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Traci Fitzharris\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM376968b1.txt
C:\WINDOWS\BM376968b1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtusssr.dll
C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\system32\JSssDcfe.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ysqoqraq.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-28 17:28 . 2008-09-28 17:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-09-28 17:24 . 2008-09-28 17:24 <DIR> d----c--- C:\VundoFix Backups
2008-09-28 14:51 . 2008-09-28 15:06 <DIR> d-------- C:\Program Files\Sophos
2008-09-28 12:51 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-09-28 12:50 . 2008-09-28 15:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-28 12:50 . 2008-09-28 12:54 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-09-28 12:50 . 2008-09-28 12:50 <DIR> d-------- C:\Documents and Settings\Traci Fitzharris\Application Data\PC Tools
2008-09-28 12:50 . 2008-09-28 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-09-28 12:50 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-28 12:50 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-28 12:50 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-28 12:50 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-28 01:20 . 2008-09-28 01:19 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-09-28 01:19 . 2008-09-28 01:19 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-28 01:19 . 2008-09-28 01:19 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-28 01:18 . 2008-09-28 01:18 <DIR> d-------- C:\WINDOWS\system32\drivers\NAV
2008-09-28 01:18 . 2008-09-28 01:18 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-09-28 01:18 . 2008-09-28 01:18 <DIR> d-------- C:\Program Files\NortonInstaller
2008-09-28 01:18 . 2008-09-28 01:19 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-09-28 01:18 . 2008-09-28 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-28 01:18 . 2008-09-28 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-09-28 00:55 . 2008-09-28 01:19 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-28 00:55 . 2008-09-28 01:19 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-28 00:53 . 2008-09-28 00:53 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-09-28 00:53 . 2008-09-28 01:19 <DIR> d-------- C:\Program Files\Symantec
2008-09-28 00:53 . 2008-09-28 01:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-28 00:01 . 2006-04-04 15:55 591,632 --------- C:\WINDOWS\system32\WinSSWebAgent.dll
2008-09-27 23:23 . 2008-09-27 23:23 128,000 --a------ C:\WINDOWS\system32\tthugigd.dll
2008-09-27 23:21 . 2008-09-27 23:21 105,984 --a------ C:\WINDOWS\system32\ookyajjb.dll
2008-09-27 23:20 . 2008-09-28 14:02 888,844 --ahs---- C:\WINDOWS\system32\JSssDcfe.ini2
2008-09-27 17:17 . 2008-04-13 17:11 32,768 --a------ C:\WINDOWS\system32\dllcache\ativtmxx.dll
2008-09-27 17:17 . 2008-04-13 17:11 32,768 --a------ C:\WINDOWS\system32\ativtmxx.dll
2008-09-27 16:58 . 2008-09-28 02:16 <DIR> d-------- C:\WINDOWS\system32\EV19
2008-09-27 16:58 . 2008-09-27 16:58 <DIR> d----c--- C:\Temp\xp34
2008-09-27 16:58 . 2008-09-27 16:59 <DIR> d----c--- C:\Temp
2008-09-22 01:20 . 2008-09-22 01:20 <DIR> d-------- C:\Documents and Settings\Traci Fitzharris\Application Data\deskPDF
2008-09-22 01:15 . 2008-09-22 01:16 <DIR> d-------- C:\Program Files\Docudesk
2008-09-22 01:15 . 2008-03-25 13:51 18,790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-09-06 15:34 . 2008-09-06 15:34 <DIR> d-------- C:\Program Files\AVG
2008-09-06 15:05 . 2008-09-06 15:06 1,594 --a------ C:\WINDOWS\VPNUnInstall.MIF
2008-09-05 23:45 . 2008-09-05 23:45 <DIR> d----c--- C:\Nexon
2008-09-05 23:45 . 2008-09-06 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 01:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-28 08:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-28 00:08 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\ATI
2008-09-25 06:54 --------- d--h--w C:\Documents and Settings\Traci Fitzharris\Application Data\Move Networks
2008-09-22 02:03 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\Azureus
2008-09-22 01:21 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\BitTorrent
2008-09-06 22:53 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\Toshiba
2008-09-06 22:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 22:13 --------- d-----w C:\Program Files\Symantec Client Security
2008-08-23 19:28 --------- d-----w C:\Program Files\Apple Software Update
2008-08-23 19:25 --------- d-----w C:\Program Files\iTunes
2008-08-23 19:24 --------- d-----w C:\Program Files\iPod
2008-08-23 19:22 --------- d-----w C:\Program Files\QuickTime
2008-08-23 19:22 --------- d-----w C:\Program Files\Bonjour
2007-10-28 00:03 81,920 ----a-w C:\Documents and Settings\Traci Fitzharris\Application Data\ezpinst.exe
2007-10-28 00:03 47,360 ----a-w C:\Documents and Settings\Traci Fitzharris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-09 185896]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 90112]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-09-10 864256]
"BM376968b1"="C:\WINDOWS\system32\ookyajjb.dll" [2008-09-27 105984]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 16:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2006-03-01 11:58 712704 C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"C:\\Nexon\\Combat Arms\\NMService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:128.32.30.64/255.255.255.224:Enabled:mad:xpsp2res.dll,-22004
"137:TCP"= 137:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-137:TCP
"445:TCP"= 445:TCP:128.32.30.64/255.255.255.224:Enabled:mad:xpsp2res.dll,-22005
"23:TCP"= 23:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-23:TCP
"25:TCP"= 25:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-25:TCP
"80:TCP"= 80:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-80:TCP
"20:TCP"= 20:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-20:TCP
"21:TCP"= 21:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-21:TCP
"113:TCP"= 113:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-113:TCP
"443:TCP"= 443:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-443:TCP
"1025:TCP"= 1025:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-1025:TCP
"135:UDP"= 135:UDP:128.32.30.64/255.255.255.224:Enabled:SNS-135:UDP
"137:UDP"= 137:UDP:128.32.30.64/255.255.255.224:Enabled:mad:xpsp2res.dll,-22001

R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-09-28 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-09-28 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-09-28 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20080923.001\IDSxpx86.sys [2008-09-28 274808]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\6B.tmp [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SynTPEnh - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-AAWTray - C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
HKLM-Run-MSKDetectorExe - C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
Notify-mlJDvSLe - mlJDvSLe.dll
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-ModemOnHold - C:\Program Files\NetWaiting\netWaiting.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Traci Fitzharris\Application Data\Mozilla\Firefox\Profiles\mqztgdll.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Documents and Settings\Traci Fitzharris\Application Data\Mozilla\Firefox\Profiles\mqztgdll.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 18:27:49
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\6B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-28 18:36:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-29 01:35:57

Pre-Run: 6,701,834,240 bytes free
Post-Run: 7,564,591,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

265 --- E O F --- 2008-09-10 01:33:49
 

Captain Planet

Thread Starter
Joined
Sep 28, 2008
Messages
6
i ran combofix again, but i'm still using the wrong window's recovery (i should be using the sp2 pro because i have windows xp sp3 media center edition, but instead i ran a home recovery). will this not work? am i messing up my computer?

ComboFix 08-09-30.03 - Traci Fitzharris 2008-09-30 19:17:29.1 - NTFSx86
Running from: C:\Documents and Settings\Traci Fitzharris\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM376968b1.txt
C:\WINDOWS\BM376968b1.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-30 19:24 . 2008-09-30 19:24 113,053 --a------ C:\WINDOWS\BM376968b1.xml
2008-09-29 22:23 . 2008-09-29 22:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-29 18:56 . 2008-09-29 18:57 <DIR> d-------- C:\Program Files\iTunes
2008-09-29 18:56 . 2008-09-29 18:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-29 18:52 . 2008-09-29 18:53 <DIR> d-------- C:\Program Files\QuickTime
2008-09-29 18:41 . 2008-09-29 18:41 <DIR> d-------- C:\Program Files\Bonjour
2008-09-28 17:28 . 2008-09-28 23:41 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-09-28 17:24 . 2008-09-28 17:24 <DIR> d----c--- C:\VundoFix Backups
2008-09-28 14:51 . 2008-09-28 15:06 <DIR> d-------- C:\Program Files\Sophos
2008-09-28 12:51 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-09-28 12:50 . 2008-09-30 19:23 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-28 12:50 . 2008-09-28 12:54 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-09-28 12:50 . 2008-09-28 12:50 <DIR> d-------- C:\Documents and Settings\Traci Fitzharris\Application Data\PC Tools
2008-09-28 12:50 . 2008-09-28 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-09-28 12:50 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-28 12:50 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-28 12:50 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-28 12:50 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-28 01:19 . 2008-09-28 01:19 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-28 01:19 . 2008-09-28 01:19 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-28 01:18 . 2008-09-28 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-28 01:18 . 2008-09-29 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-09-28 00:55 . 2008-09-28 01:19 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-28 00:55 . 2008-09-28 01:19 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-28 00:53 . 2008-09-28 00:53 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-09-28 00:53 . 2008-09-28 01:19 <DIR> d-------- C:\Program Files\Symantec
2008-09-28 00:53 . 2008-09-28 01:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-28 00:01 . 2006-04-04 15:55 591,632 --------- C:\WINDOWS\system32\WinSSWebAgent.dll
2008-09-27 23:23 . 2008-09-27 23:23 128,000 --a------ C:\WINDOWS\system32\tthugigd.dll
2008-09-27 23:21 . 2008-09-27 23:21 105,984 --a------ C:\WINDOWS\system32\ookyajjb.dll
2008-09-27 23:20 . 2008-09-28 14:02 888,844 --ahs---- C:\WINDOWS\system32\JSssDcfe.ini2
2008-09-27 17:17 . 2008-04-13 17:11 32,768 --a------ C:\WINDOWS\system32\dllcache\ativtmxx.dll
2008-09-27 17:17 . 2008-04-13 17:11 32,768 --a------ C:\WINDOWS\system32\ativtmxx.dll
2008-09-27 16:58 . 2008-09-28 02:16 <DIR> d-------- C:\WINDOWS\system32\EV19
2008-09-27 16:58 . 2008-09-27 16:58 <DIR> d----c--- C:\Temp\xp34
2008-09-27 16:58 . 2008-09-27 16:59 <DIR> d----c--- C:\Temp
2008-09-22 01:20 . 2008-09-22 01:20 <DIR> d-------- C:\Documents and Settings\Traci Fitzharris\Application Data\deskPDF
2008-09-22 01:15 . 2008-09-22 01:16 <DIR> d-------- C:\Program Files\Docudesk
2008-09-22 01:15 . 2008-03-25 13:51 18,790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-09-06 15:34 . 2008-09-06 15:34 <DIR> d-------- C:\Program Files\AVG
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-06 15:05 . 2008-09-06 15:06 1,594 --a------ C:\WINDOWS\VPNUnInstall.MIF
2008-09-05 23:45 . 2008-09-05 23:45 <DIR> d----c--- C:\Nexon
2008-09-05 23:45 . 2008-09-06 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 02:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-30 01:56 --------- d-----w C:\Program Files\iPod
2008-09-30 01:52 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-28 08:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-28 00:08 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\ATI
2008-09-25 06:54 --------- d--h--w C:\Documents and Settings\Traci Fitzharris\Application Data\Move Networks
2008-09-22 02:03 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\Azureus
2008-09-22 01:21 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\BitTorrent
2008-09-06 22:53 --------- d-----w C:\Documents and Settings\Traci Fitzharris\Application Data\Toshiba
2008-09-06 22:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 22:13 --------- d-----w C:\Program Files\Symantec Client Security
2008-08-23 19:28 --------- d-----w C:\Program Files\Apple Software Update
2007-10-28 00:03 81,920 ----a-w C:\Documents and Settings\Traci Fitzharris\Application Data\ezpinst.exe
2007-10-28 00:03 47,360 ----a-w C:\Documents and Settings\Traci Fitzharris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-09 185896]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BM376968b1"="C:\WINDOWS\system32\ookyajjb.dll" [2008-09-27 105984]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 16:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2006-03-01 11:58 712704 C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"C:\\Nexon\\Combat Arms\\NMService.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:128.32.30.64/255.255.255.224:Enabled:mad:xpsp2res.dll,-22004
"137:TCP"= 137:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-137:TCP
"445:TCP"= 445:TCP:128.32.30.64/255.255.255.224:Enabled:mad:xpsp2res.dll,-22005
"23:TCP"= 23:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-23:TCP
"25:TCP"= 25:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-25:TCP
"80:TCP"= 80:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-80:TCP
"20:TCP"= 20:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-20:TCP
"21:TCP"= 21:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-21:TCP
"113:TCP"= 113:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-113:TCP
"443:TCP"= 443:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-443:TCP
"1025:TCP"= 1025:TCP:128.32.30.64/255.255.255.224:Enabled:SNS-1025:TCP
"135:UDP"= 135:UDP:128.32.30.64/255.255.255.224:Enabled:SNS-135:UDP
"137:UDP"= 137:UDP:128.32.30.64/255.255.255.224:Enabled:mad:xpsp2res.dll,-22001

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\6B.tmp [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-vptray - C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Traci Fitzharris\Application Data\Mozilla\Firefox\Profiles\csqkh8n9.default\
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Documents and Settings\Traci Fitzharris\Application Data\Mozilla\Firefox\Profiles\csqkh8n9.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 19:23:44
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BM376968b1.txt 74 bytes
C:\WINDOWS\BM376968b1.xml 113053 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\6B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ookyajjb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-09-30 19:29:02 - machine was rebooted [Traci Fitzharris]
ComboFix-quarantined-files.txt 2008-10-01 02:28:57
ComboFix2.txt 2008-09-29 01:36:04

Pre-Run: 6,058,442,752 bytes free
Post-Run: 6,888,837,120 bytes free

242 --- E O F --- 2008-09-10 01:33:49
 

Captain Planet

Thread Starter
Joined
Sep 28, 2008
Messages
6
Logfile of HijackThis v1.99.1
Scan saved at 7:38:51 PM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM376968b1] Rundll32.exe "C:\WINDOWS\system32\ookyajjb.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Remind me, if I forget, to give you instructions for removing Recovery Console. You are ok for now.

Open Notepad and copy and paste the text in the quote box below into it:
KILLALL::
File::
C:\WINDOWS\BM376968b1.xml
C:\WINDOWS\system32\tthugigd.dll
C:\WINDOWS\system32\ookyajjb.dll
C:\WINDOWS\system32\JSssDcfe.ini2
Folder::
C:\Temp\xp34
Driver::
MEMSWEEP2
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM376968b1"=-

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.




Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*]Archives
      [*]Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
I doubt it, but if you say so.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Now you should Clean up your PC


Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.



You're welcome!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top