LOL-I don't know how the little blue face guy got in there..... I didn't do that!
Member
LOL-I don't know how the little blue face guy got in there..... I didn't do that!
Administrator
Open notepad and copy/paste the text in the quote box below into it:
Save this as CFScript on your desktop.File::
C:\WINDOWS\system32\opxakaxb.dll
C:\WINDOWS\system32\giealbih.dll
C:\WINDOWS\system32\gcjwkrng.dll
C:\WINDOWS\system32\nmqocciq.dll
C:\WINDOWS\system32\ggjqnulb.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\teeycfgx.dll
C:\WINDOWS\BM1f552d2f.xml
C:\WINDOWS\system32\iyvcjtqe.dll
C:\WINDOWS\system32\ssqQjgfG.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\g92.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ssqQjHAt.dll
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a fresh copy of HijackThis.
Let me know what problem persists.
Member
Ok...here ya go-
ComboFix 08-05-15.2 - New Mom 2008-05-16 0:37:54.2 - NTFSx86
Running from: C:\Documents and Settings\New Mom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\New Mom\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM1f552d2f.xml
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g92.exe
C:\WINDOWS\system32\gcjwkrng.dll
C:\WINDOWS\system32\ggjqnulb.dll
C:\WINDOWS\system32\giealbih.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iyvcjtqe.dll
C:\WINDOWS\system32\nmqocciq.dll
C:\WINDOWS\system32\opxakaxb.dll
C:\WINDOWS\system32\ssqQjgfG.dll
C:\WINDOWS\system32\ssqQjHAt.dll
C:\WINDOWS\system32\teeycfgx.dll
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\New Mom\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\New Mom\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\BM1f552d2f.xml
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g92.exe
C:\WINDOWS\system32\gcjwkrng.dll
C:\WINDOWS\system32\ggjqnulb.dll
C:\WINDOWS\system32\giealbih.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iyvcjtqe.dll
C:\WINDOWS\system32\nmqocciq.dll
C:\WINDOWS\system32\opxakaxb.dll
C:\WINDOWS\system32\ssqQjgfG.dll
C:\WINDOWS\system32\ssqQjHAt.dll
C:\WINDOWS\system32\teeycfgx.dll
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.
2008-05-15 11:40 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and Settings\New Mom\.housecall6.6
2008-05-15 11:36 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-15 11:35 . 2008-05-15 11:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 08:25 . 2008-05-15 08:27 <DIR> d-------- C:\Program Files\Team6 game studios
2008-05-15 00:30 . 2008-05-15 00:30 2,652 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-15 00:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-15 00:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-15 00:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-15 00:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-15 00:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-15 00:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-15 00:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-15 00:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-14 21:01 . 2008-05-14 23:29 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-14 18:40 . 2008-05-14 18:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-14 18:40 . 2008-05-14 18:40 <DIR> d-------- C:\Documents and Settings\New Mom\Application Data\Malwarebytes
2008-05-14 18:40 . 2008-05-14 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-14 18:40 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-14 18:40 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-13 20:26 . 2008-05-13 20:27 <DIR> d-------- C:\Program Files\Panda Security
2008-05-13 19:00 . 2008-05-13 19:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 18:09 . 2008-05-13 18:09 <DIR> d-------- C:\Program Files\PCPitstop
2008-05-13 18:09 . 2008-05-13 18:09 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-05-13 17:51 . 2008-05-13 17:51 <DIR> d-------- C:\VundoFix Backups
2008-05-13 17:10 . 2008-05-13 17:12 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-13 16:50 . 2008-05-13 16:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-13 16:50 . 2008-05-15 21:56 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-13 12:13 . 2008-05-13 12:13 <DIR> d-------- C:\Documents and Settings\New Mom\Application Data\Yahoo!
2008-05-13 12:12 . 2008-05-13 12:12 <DIR> d-------- C:\Documents and Settings\New Mom\Application Data\HPAppData
2008-05-13 12:11 . 2008-05-15 00:47 <DIR> d-------- C:\Documents and Settings\New Mom\Application Data\Spyware Terminator
2008-05-13 12:09 . 2008-05-15 21:31 <DIR> d-------- C:\Documents and Settings\New Mom
2008-05-13 12:09 . 2008-05-16 00:58 16,384 --ah----- C:\Documents and Settings\New Mom\ntuser.dat.LOG
2008-05-12 19:18 . 2008-05-12 19:18 <DIR> d-------- C:\Documents and Settings\Z-Man\Application Data\Yahoo!
2008-05-12 19:16 . 2008-05-12 19:16 <DIR> d-------- C:\Documents and Settings\Z-Man\Application Data\HPAppData
2008-05-12 19:14 . 2008-05-12 21:50 <DIR> d-------- C:\Documents and Settings\Z-Man\Application Data\Spyware Terminator
2008-05-12 19:05 . 2008-05-12 19:05 <DIR> d-------- C:\Documents and Settings\Keon\Application Data\Yahoo!
2008-05-12 19:03 . 2008-05-12 19:03 <DIR> d-------- C:\Documents and Settings\Keon\Application Data\HPAppData
2008-05-12 19:01 . 2008-05-12 19:51 <DIR> d-------- C:\Documents and Settings\Keon\Application Data\Spyware Terminator
2008-05-12 18:59 . 2008-05-12 21:39 <DIR> d-------- C:\Documents and Settings\Keon
2008-05-12 18:59 . 2008-05-16 00:57 1,024 --ah----- C:\Documents and Settings\Keon\ntuser.dat.LOG
2008-05-12 18:58 . 2008-05-16 00:57 1,024 --ah----- C:\Documents and Settings\Z-Man\ntuser.dat.LOG
2008-05-12 18:53 . 2008-05-12 19:12 <DIR> d-------- C:\Documents and Settings\Z-Man
2008-05-12 18:15 . 2008-05-16 00:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-12 18:15 . 2008-05-12 18:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 17:37 . 2008-05-14 15:19 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-05-12 16:00 . 2008-05-12 19:43 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\Spyware Terminator
2008-05-12 16:00 . 2008-05-15 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-05-12 16:00 . 2008-05-12 16:00 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-12 15:59 . 2008-05-15 00:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-05-11 13:11 . 2008-05-11 13:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HPAppData
2008-05-11 13:07 . 2008-05-11 13:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-05-11 12:13 . 2008-05-12 16:50 <DIR> d-------- C:\WINDOWS\system32\winRem
2008-05-11 12:13 . 2008-05-14 20:30 <DIR> d-------- C:\WINDOWS\system32\spoolX
2008-05-11 12:13 . 2008-05-14 20:30 <DIR> d-------- C:\WINDOWS\system32\MUI2
2008-05-11 12:13 . 2008-05-15 02:18 <DIR> d-------- C:\WINDOWS\system32\cdfig
2008-05-11 12:13 . 2008-05-12 16:50 <DIR> d-------- C:\WINDOWS\system32\1036a
2008-05-11 12:13 . 2008-05-15 21:57 <DIR> d-------- C:\Temp
2008-05-07 17:16 . 2008-05-15 00:54 <DIR> d-------- C:\Program Files\FrostWire
2008-05-03 00:12 . 2008-05-03 00:12 <DIR> d-------- C:\Program Files\MP3
2008-05-03 00:12 . 2008-05-03 00:12 <DIR> d-------- C:\Documents and Settings\Mom\WINDOWS
2008-05-03 00:12 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-04-28 18:09 . 2008-04-28 18:09 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2008-04-28 18:09 . 2008-04-28 18:09 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\HPAppData
2008-04-28 18:07 . 2008-04-28 18:07 <DIR> d-------- C:\Documents and Settings\Guest
2008-04-28 18:07 . 2008-05-15 21:56 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-04-28 17:17 . 2008-04-28 17:18 452 --a------ C:\WINDOWS\CDPLAYER.UNI
2008-04-28 17:15 . 2008-04-28 17:15 <DIR> d-------- C:\WINDOWS\Free CD Music Converter
2008-04-28 17:15 . 2008-04-28 17:15 <DIR> d-------- C:\Program Files\Free CD Music Converter
2008-04-21 10:35 . 2008-04-21 10:35 <DIR> d-------- C:\Program Files\iPod
2008-04-21 10:34 . 2008-04-21 10:35 <DIR> d-------- C:\Program Files\iTunes
2008-04-21 10:25 . 2008-04-21 10:25 <DIR> d-------- C:\Program Files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-15 15:36 --------- d-----w C:\Program Files\Java
2008-05-15 14:57 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-15 04:53 --------- d-----w C:\Program Files\Coupons
2008-05-15 02:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-13 16:10 --------- d-----w C:\Program Files\Web Publish
2008-05-13 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2008-05-07 21:16 --------- d-----w C:\Program Files\LimeWire
2008-05-04 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 23:05 --------- d-----w C:\Documents and Settings\Mom\Application Data\LimeWire
2008-04-21 14:32 --------- d-----w C:\Program Files\QuickTime
2008-04-15 23:13 --------- d-----w C:\Program Files\PhotoScape
2008-04-12 19:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-11 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-26 02:34 --------- d-----w C:\Program Files\The Print Shop 20
2008-03-26 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
2008-03-26 02:15 --------- d-----w C:\Program Files\Common Files\Broderbund
2008-03-26 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Broderbund Software
2008-03-25 22:20 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-18 04:03 --------- d-----w C:\Documents and Settings\Mom\Application Data\ieSpell
2006-11-14 08:48 0 ----a-w C:\Program Files\Common Files\err.log
2005-07-29 20:24 472 --sha-r C:\WINDOWS\TVIuIEhPVFJPRA\npKRKH1jpILjlE.vbs
.
((((((((((((((((((((((((((((( snapshot@2008-05-15_22.32.52.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 02:03:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 04:42:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-11-30 19:26 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 09:59 126976]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-05-12 16:00 1817600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\ Flash\GetFlash.exe" [ ]
C:\Documents and Settings\Z-Man\Start Menu\Programs\Startup\
prf105.tmp [2008-05-12 18:53:05 0]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders schannel.dll, digest.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntivirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-12 16:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 20:01:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-14 22:00:04 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 00:57:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Completion time: 2008-05-16 1:04:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 05:04:07
ComboFix2.txt 2008-05-16 02:33:26
Pre-Run: 25,326,915,584 bytes free
Post-Run: 25,370,316,800 bytes free
217 --- E O F --- 2008-05-14 07:02:09
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:10 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops....gi3.0.84.2.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/...ad/XUpload.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 7539 bytes
Member
So far I haven't gotten any pop ups or windows opening up!!
Member
Should I be concerned about -
"WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!"
Just wanted to double check!
Administrator
The logs look good. Now you need to download and install an anti-virus program...any of those here are fine;
PROTECT YOURSELF FROM MALWARE: Tools & Tips
You also need to either enable the built in Windows Firewall or choose one listed in the link above.
You also should download and install SpywareBlaster, link is also found in the thread listed above. Great program, DOES NOT run in the background but offers a HUGE amount of protection.
To uninstall ComboFix.exe And all Backups of files that it deletedI also noticed in your log that you have some P2P file sharing programs, Limewire and Frostwire specifically. This is something we really do not recommend and is VERY likely the way all of these trojans came onto the computer in the first place. I STRONGLY recommend that you uninstall these programs via Add/Remove and stop file sharing. As you can see, it can be a VERY Dangerous activity. Might be a cheap way to get some programs, but you really don't know who they come from OR what is in them. I always liken file sharing with a stranger to finding a sandwich on a table in a restaurant...you don't know who left it there...yes it is free...but would you eat it?
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Once you have installed the new anti-virus program, firewall, SpywareBlaster and removed Combofix then you should set a new System Restore point by following the instructions in the thread you first followed for clean up instructions.
You do have several unnecessary programs running automatically at start up which are not required at start up and can easily be run manually when you need them. I recommend Mike Lin's StartUpControl Panel as a FREE and easy way to control auto starts.
These are the one's I see which do not need to run at start up;
HP Software Update
Adobe Reader Speed Launcher
QuickTime Task
iTunesHelper
SunJavaUpdateSched
GoogleToolbarNotifier
FlashPlayerUpdate
I also still recommend uninstalling Spyware Terminator...it did you NO good whatsoever. Why have it on there if it doesn't work, and it didn't.
To install the Recovery Console follow the steps HERE
Judy
Member
Hi Judy-
I'm on the step of the starup control. I installed it but I can't fine anything to click on to open the program? Can you help me out with that?
Also, I keep getting a "windows is low on virtual memory" pop up.
Administrator
Just double click the Start Up program in the Control Panel, icon looks like a little computer, and it will open.
To check your Virtual Memory settings Right Click on My Computer. Choose Properties. When System Properties opens click on the Advanced Tab. When that opens then click on the Advanced Tab there. When that opens click on the bottom button, Change. When that opens note what is there and post back here with the information. You should see something like this; Paging file size at the top and it will show you something like 1536-3072;
In the middle you will see boxes with 2 different numbers, give me those and then at the bottom you will see 3 listings; Minimum Allowed, Recommended and Currently Allocated.
Give me all those numbers.
Member
I don't see another advanced tab after clicking the advanced tab in System Properties. Once I click the AT in SP my only options are
Performance
User Profiles
Startup & Recovery
Administrator
Whoops, my error. Click on Performance right there, then Settings, Then Advanced, then Change. You don't have to change anything now, I just want the numbers so when you get those just "x" out of it.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote