1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

taskmanager/run/annoying pop ups.

Discussion in 'Virus & Other Malware Removal' started by gophers, Nov 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    Hello, i 'just' reformatted last night

    currently i have been to
    installed avg anti virus (and updated)
    installed firefox
    installed wow
    www.worldofwarcraft.com

    this website and pchell.com

    I was having problems accessing task manager but i got a utility and fixed that.

    my current issue right now is "run" isnt listed under my start menu, if i hit windows key+R
    "This operation has been cancelled due to restrictions in effect on this computer, Please contact your system administrator"

    The problem with this is i AM the system administrator this is MY PC and i have not gone into any options to disable such things.


    Also, Whenever i am browsing say now for example the window i have selected will act as if a pop up is coming, it makes the little click noise like a pop up is coming but nothing shows up.

    Whenever i load world of warcraft, ever 5-10 seconds the game minimizes itself and does the same thing.


    I have ran AVG Anti Virus and it picked up some viruses and malware that i got rid of but more and more keep coming since it didnt pick everything up.
     
  2. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    here is my hijackthis log file.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:54:19 AM, on 11/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\inf\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\mrofinu572.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wpabaln.exe
    C:\Documents and Settings\mike\Desktop\HijackThis.exe

    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    O2 - BHO: {fcaccaf1-3a52-73ca-14b4-17f3812a2944} - {4492a218-3f71-4b41-ac37-25a31faccacf} - C:\WINDOWS\system32\sojdbuxx.dll
    O2 - BHO: (no name) - {5AA97595-4BFC-4AF4-AA5D-1C9817B470AB} - C:\Program Files\Online Services\meqorafeq4444.dll (file missing)
    O2 - BHO: 0 - {81D13033-2EC6-43EA-A487-590F931C15C8} - C:\Program Files\MSN Gaming Zone\qucal.dll (file missing)
    O2 - BHO: (no name) - {EB744239-5546-4157-9CD8-4A4277312433} - C:\Program Files\Online Services\meqorafeq83122.dll (file missing)
    O2 - BHO: (no name) - {FD2CF41E-A8BE-448A-9BCC-959D9FBB689A} - C:\WINDOWS\system32\ddayy.dll (file missing)
    O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O4 - HKLM\..\Run: [rtasks] C:\Program Files\SpyGuardPro\rtasks.exe
    O4 - HKLM\..\Run: [481d72b3] rundll32.exe "C:\WINDOWS\system32\epboqaal.dll",b
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1194608379546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194608371718
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Z29waGVy\command.exe (file missing)
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jqrqmxat.exe (file missing)
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    i dont understand how to read this what so ever,and this is getting really frustrating, any help would be much appretiated thank you
     
  3. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    UPDATED HIJACK THIS

    Logfile of HijackThis v1.99.1
    Scan saved at 12:33:28 PM, on 11/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\inf\svchost.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\mike\Desktop\HijackThis.exe

    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    O2 - BHO: {fcaccaf1-3a52-73ca-14b4-17f3812a2944} - {4492a218-3f71-4b41-ac37-25a31faccacf} - C:\WINDOWS\system32\sojdbuxx.dll
    O2 - BHO: (no name) - {5AA97595-4BFC-4AF4-AA5D-1C9817B470AB} - C:\Program Files\Online Services\meqorafeq4444.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: 0 - {81D13033-2EC6-43EA-A487-590F931C15C8} - C:\Program Files\MSN Gaming Zone\qucal.dll (file missing)
    O2 - BHO: (no name) - {EB744239-5546-4157-9CD8-4A4277312433} - C:\Program Files\Online Services\meqorafeq83122.dll (file missing)
    O2 - BHO: (no name) - {FD2CF41E-A8BE-448A-9BCC-959D9FBB689A} - C:\WINDOWS\system32\ddayy.dll (file missing)
    O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [rtasks] C:\Program Files\SpyGuardPro\rtasks.exe
    O4 - HKLM\..\Run: [481d72b3] rundll32.exe "C:\WINDOWS\system32\epboqaal.dll",b
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1194608379546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194608371718
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Z29waGVy\command.exe (file missing)
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jqrqmxat.exe (file missing)
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    if you just formatted yesterday, how did you get reinfected so fast

    first that is teh opld version of HJT uninstall it &
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    then

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    there is NO sign of any antivirus on those logs so that is why you have been infected so quickly
     
  5. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    my SDFix Log

    SDFix: Version 1.114

    Run by Administrator on Sat 11/10/2007 at 01:28 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\mrofinu572.exe.tmp - Deleted
    C:\WINDOWS\mrofinu1000106.exe - Deleted
    C:\WINDOWS\svchost.exe - Deleted
    C:\WINDOWS\system32\~.exe - Deleted
    C:\WINDOWS\system32\explorer.exe - Deleted
    C:\WINDOWS\system32\ramtmb.dll - Deleted
    C:\WINDOWS\system32\sft.res - Deleted
    C:\WINDOWS\TTC-4444.exe - Deleted


    Folder C:\Program Files\Temporary - Removed
    Folder C:\Temp\1cb - Removed

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-10 13:31:23
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\WINDOWS\\system32\\jqrqmxat.exe"="C:\\WINDOWS\\system32\\jqr"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Codemasters\\RF Online\\RF.exe"="C:\\Program Files\\Codemasters\\RF Online\\RF.exe:*:Enabled:RFLauncher"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Disabled:Blizzard Downloader"
    "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Fri 9 Nov 2007 20,640 ..SH. --- "C:\WINDOWS\system32\wxoexuhd.dllbox"
    Fri 9 Nov 2007 423,147 ..SH. --- "C:\WINDOWS\system32\yyadd.bak1"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico84.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico85.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico86.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico87.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico88.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico89.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico8A.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico8B.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico8C.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico8D.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico90.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico91.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico92.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico93.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico94.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico95.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico96.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico97.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico98.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico99.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico9B.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico9C.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico9D.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico9E.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\ico9F.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA0.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA1.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA2.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA3.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA4.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA7.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA8.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoA9.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoAA.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoAB.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoAC.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoAD.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoAE.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoAF.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB0.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB2.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB3.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB4.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB5.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB6.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB7.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB8.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoB9.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoBA.tmp"
    Fri 9 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\mike\Local Settings\Temp\icoBB.tmp"

    Finished!
     
  6. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    my HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:36:52 PM, on 11/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\NOTEDAD.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\mike\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
    O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1194608379546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194608371718
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtelez.html

    --
    End of file - 5768 bytes






    Also, AVG was my anti-virus i updated to kaspersky though :D
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    next

    Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
    To disable SpybotSD TeaTimer:

    Open Spybot and click on Mode and check Advanced Mode
    Check yes to next window.
    Click on Tools in bottom left hand corner.
    Click on System Startup icon.
    Uncheck Teatimer box.
    Click Allow Change box.

    You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

    then


    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  8. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    ComboFix 07-11-08.1 - mike 2007-11-10 17:44:54.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1352 [GMT -8:00]
    Running from: C:\Documents and Settings\mike\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\mike\Favorites\Online Security Guide.lnk
    C:\Program Files\MSN Gaming Zone\rtelez.html
    C:\temp\tn3
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\mwinsys.ini
    C:\WINDOWS\notedad.exe
    C:\WINDOWS\System\AlxRes071109.exe
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\system32\iexplorer.dll .dbt
    C:\WINDOWS\system32\inf\scrsys071109.scr
    C:\WINDOWS\system32\inf\scrsys16_071109.dll
    C:\WINDOWS\system32\mp43.exe
    C:\WINDOWS\system32\mywebhit.ini
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\winsys16_071109.dll
    C:\WINDOWS\system32\winsys32_071109.dll
    C:\WINDOWS\system32\wxoexuhd.dllbox

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_NETWORK_MONITOR


    ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
    .

    2007-11-10 17:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-10 13:27 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-11-10 13:20 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2007-11-10 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-10 13:20 150,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-11-10 13:20 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2007-11-10 13:20 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2007-11-10 13:20 5,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-11-10 12:54 <DIR> d-------- C:\Documents and Settings\mike\Application Data\Azureus
    2007-11-10 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2007-11-10 12:53 <DIR> d-------- C:\Program Files\Azureus
    2007-11-09 23:51 <DIR> d-------- C:\Documents and Settings\mike\Application Data\Yahoo!
    2007-11-09 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2007-11-09 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
    2007-11-09 23:50 <DIR> d-------- C:\Program Files\Yahoo!
    2007-11-09 23:42 <DIR> d-------- C:\WINDOWS\pss
    2007-11-09 23:40 <DIR> d-------- C:\Program Files\Winamp
    2007-11-09 23:40 <DIR> d-------- C:\Documents and Settings\mike\Application Data\Winamp
    2007-11-09 21:28 <DIR> d-------- C:\Program Files\Codemasters
    2007-11-09 16:32 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-11-09 16:32 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-11-09 16:32 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-11-09 16:32 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-11-09 15:51 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2007-11-09 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-09 13:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
    2007-11-09 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2007-11-09 11:54 <DIR> d-------- C:\Documents and Settings\mike\.housecall6.6
    2007-11-09 11:53 <DIR> d-------- C:\WINDOWS\Sun
    2007-11-09 11:53 <DIR> d-------- C:\Program Files\Java
    2007-11-09 11:52 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-11-09 11:52 671 --a------ C:\WINDOWS\mozver.dat
    2007-11-09 10:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
    2007-11-09 03:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
    2007-11-09 03:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2007-11-09 03:41 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-11-09 03:39 43,352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-11-09 03:38 <DIR> d--hs---- C:\Documents and Settings\mike\UserData
    2007-11-09 03:37 <DIR> d-------- C:\Documents and Settings\gophers\Application Data\Talkback
    2007-11-09 03:37 77,824 --a------ C:\WINDOWS\MicroSoft.pif
    2007-11-09 03:37 198 --a------ C:\WINDOWS\MicroSoft.vbs
    2007-11-09 03:15 <DIR> d-------- C:\WINDOWS\system32\inf
    2007-11-09 03:08 <DIR> d-------- C:\Documents and Settings\gophers\Application Data\ATI
    2007-11-09 02:54 <DIR> d-------- C:\Documents and Settings\mike\Application Data\Ventrilo
    2007-11-09 02:54 9,409,536 --a------ C:\WINDOWS\system32\RTLCPL.EXE
    2007-11-09 02:54 2,324,160 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2007-11-09 02:54 294,912 --a------ C:\WINDOWS\alcupd.exe
    2007-11-09 02:54 200,704 --a------ C:\WINDOWS\alcrmv.exe
    2007-11-09 02:54 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
    2007-11-09 02:54 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE
    2007-11-09 02:54 40,960 --a------ C:\WINDOWS\system32\ChCfg.exe
    2007-11-09 02:51 <DIR> d-------- C:\Program Files\Ventrilo
    2007-11-09 02:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-09 01:25 88,128 --a------ C:\WINDOWS\system32\epboqaal.dll
    2007-11-09 01:24 77,888 --a------ C:\WINDOWS\system32\sojdbuxx.dll
    2007-11-09 00:55 35,840 --a------ C:\WINDOWS\17PHolmes572.exe
    2007-11-09 00:53 423,147 ---hs---- C:\WINDOWS\system32\yyadd.bak1
    2007-11-09 00:51 <DIR> d-------- C:\Documents and Settings\mike\Application Data\SpyGuardPro
    2007-11-09 00:51 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
    2007-11-09 00:51 89,088 --a------ C:\WINDOWS\system32\atl71.dll
    2007-11-09 00:51 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
    2007-11-09 00:50 <DIR> d-------- C:\WINDOWS\system32\stats8
    2007-11-09 00:50 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
    2007-11-09 00:50 <DIR> d-------- C:\WINDOWS\system32\revs2
    2007-11-09 00:50 <DIR> d-------- C:\WINDOWS\system32\hdrv2
    2007-11-09 00:50 <DIR> d-------- C:\WINDOWS\system32\frd1
    2007-11-09 00:50 <DIR> d-------- C:\Temp\abW9
    2007-11-09 00:50 <DIR> d-------- C:\Temp
    2007-11-09 00:48 20,480 --a------ C:\WINDOWS\quit.exe
    2007-11-09 00:08 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 01:46 4,112 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-11 01:46 1,580 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-11-10 05:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-10 00:48 --------- d-----w C:\Program Files\World of Warcraft
    2007-11-09 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-09 07:53 --------- d-----w C:\Program Files\Common Files\SWF Studio
    2007-11-09 07:52 --------- d-----w C:\Documents and Settings\mike\Application Data\ATI
    2007-11-09 07:50 --------- d-----w C:\Program Files\ATI Technologies
    2007-11-09 07:45 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-11-09 07:36 --------- d-----w C:\Documents and Settings\mike\Application Data\Talkback
    2007-11-09 07:25 --------- d-----w C:\Program Files\microsoft frontpage
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-07-26 10:16]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-09 21:28]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    [2007-08-31 16:46]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
    "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e122e2db-8e4a-11dc-9c53-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-10 17:47:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-10 17:49:06 - machine was rebooted
    .
    --- E O F ---
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Open Notepad and copy and paste the text in the code box below into it:



    Code:
    File::
    C:\WINDOWS\system32\epboqaal.dll
    C:\WINDOWS\system32\sojdbuxx.dll
    C:\WINDOWS\17PHolmes572.exe
    C:\WINDOWS\system32\yyadd.bak1
    C:\WINDOWS\quit.exe
    C:\WINDOWS\MicroSoft.pif
    C:\WINDOWS\MicroSoft.vbs
    Folder::
    C:\Documents and Settings\mike\Application Data\SpyGuardPro
    C:\WINDOWS\system32\stats8
    C:\WINDOWS\system32\rMa01yy
    C:\WINDOWS\system32\revs2
    C:\WINDOWS\system32\hdrv2
    C:\WINDOWS\system32\frd1
    C:\Temp\abW9
    C:\Temp
    


    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    and

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click ALL
      • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select ALL
      in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  10. gophers

    gophers Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    9
    I think i attached it right.
     

    Attached Files:

  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    I think there are still a few problems there

    please post the combofix report so we can be sure
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - taskmanager annoying
  1. AlphaOmega2010
    Replies:
    3
    Views:
    290
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/649877

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice