Looks like you might have a downloader worm.
I don't normally provide support in here, and our regular has pretty much called it quits so it may take a while to get it done, I will try to help..
I have read three or four other logs regarding similar infections that suggest using Combofix, and Sdfix?
There are some instructions that go along with those applications that need to be followed to the letter before you can delete any files, or fix anything in HJT..
Here's a quote from another logs fix suggetsions.
Entries from your log:Download and run CrapCleaner from http://www.ccleaner.com/
Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours").
Download and install AVG Anti-Spyware from http://free.grisoft.com/doc/20/lng/us/tpl/v5 - Scroll down the page and click the "download the free version" Avg Anti-Spyware, then update it. Do not use AVG yet.
Double-click the icon on Desktop to launch AVGAS
You will need to update AVGAS to the latest definition files.
- On the top of the main screen click Shield
- Click the word active to change it to inactive
- On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
When you have finished updating, EXIT AVGAS.
Download SDFix from http://downloads.andymanchesta.com/R...ools/SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to C:\SDFix\
Reboot into Safe Mode (without networking support !)
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\wmsdkns.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F} - C:\WINDOWS\system32\awtsPFVM.dll (file missing)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
C:\WINDOWS\system32\wmsdkns.exeUsing Windows Explorer, locate the following files/folders, and delete them:
Exit Explorer, don't reboot yet !
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). I need that log afterwards.
Once done, reboot to safe mode again.
Run AVG Anti-Spyware.
- Click Scanner
- Click on the Scan tab
- Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine, then click Apply all actions
Once finished, click the Save report button, then click Save Report As. This will create a text file.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
Make sure you know where to find this file again.
Note: If you are unable to run avgas in safe mode, restart in normal mode and perform a full system scan from there.
Restart in Normal Mode.
Post back:
1 - The c:\sdfix\report.txt log
2 - The AvgAs report
3 - A fresh HJT log
You may need more than one post for this, please do so.
We'll probably need to run other fixtools later.
Reply With Quote