Please help with infected CPU.

**jholland1964** · 10-08-2007, 04:25 PM

One entry in the HJT log at least has me confused/concerned.....one time it shows, the next time it doesn't;
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"

Run HJT again and place checkmarks next to the following;

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {44CDB015-C0FC-4268-A704-926B3E02405F} - \
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\gfprhhne.dll (file missing)

O4 - HKLM\..\Run: [trioService] "C:\PROGRA~1\Freeze.com\3D Falling Leaves\\trioService.exe (I have read some bad things about this website, remove this item entirely from the computer)
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab

O20 - Winlogon Notify: rqrstrr - C:\WINDOWS\SYSTEM32\rqrstrr.dll

After you have placed the checkmarks then click the Fix Checked button

Exit HJT. Reboot the computer.

Show Hidden Files:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Reboot in Safe Mode.
Navigate here and delete the file noted in RED;

C:\WINDOWS\winshow.exe

Reboot to normal modeRun a new ComboFix scan and new HJT scan, save the logs and post them here.

**eaglecarr** · 10-08-2007, 05:08 PM

New logs

**jholland1964** · 10-08-2007, 10:05 PM

Give me an online Kaspersky log. Ok?

**jholland1964** · 10-08-2007, 11:52 PM

Again reboot your computer in SAFE MODE.
Then go to

C:\WINDOWS\SYSTEM32\

Look for each of the following files and delete each below if found;
mfc71.dll
GB9
DL1
vMW10a
rqrstrr.dll

Then go to;

C:\WINDOWS\

Look for this and delete if found;
SmFtaWUgRmxhbm5lcg

Then go here;
C:\Program Files\
Look for and delete this;
Temporary

Then here C:\Temp delete that one.
Then reboot in normal mode.

Run one more ComboFix and one more HJT.
Almost done.

**eaglecarr** · 10-09-2007, 09:16 AM

I ran the kaspersky scan first.

I was able to find and remove all the files except the ones below:

C:\Windows\SYSTEM32\

GB9
DL1
vMW10a

C:\Windows\

SmFtaWUgRmxhbm5lcg

new combo and HJT scans below.

**jholland1964** · 10-09-2007, 10:37 AM

It all looks good to me;
You have some backup files from the various programs run that you can delete;
Do this in SAFE MODE please;
C:\VundoFix Backups....you can actually remove this entire program now.
C:\qoobox\Quarantine....these are the quarantined files removed by the ComboFix program.
C:\Program Files\Temporary\wininstall.exe....I am not certain if this one is still there since you said you removed this all ready.

Reboot the computer in Normal Mode. Set a new Restore point this way;
Right Click My Computer. Choose Properties, Then choose the System Restore Tab. Place a checkmark in Turn Off System Restore. It will then warn you that you are turning it off. Click ok. System Restore will shut down. Way a minute and then do the reverse and turn it back on. Then do another Kaspersky Online Scan and post the log here.

**eaglecarr** · 10-09-2007, 03:10 PM

o.k., here is new kaspersky.

Thread: Please help with infected CPU.

Thread Tools

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions