Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ConHook, Broadcaster.com, Vundo Trojan & 20 other bad things!

Started by hottiemom24 , Apr 10 2007 11:52 PM

This topic is locked

#1
hottiemom24

Posted 10 April 2007 - 11:52 PM

Member

Member
42 posts

I have spent 2 days trying to clean off my kids' computer of Spyware, Malware, Trojans, Worms and PopUps. Obviously they have been clicking on things on the internet that they shouldn't and I must not have had enough protection on the computer! Just when I think all the stuff is gone, I have more issues. Manually cleaning off most of the stuff myself. I have also run absolutely everything I can think of. I downloaded and ran the Vundo fix. It says that my system has no files from the trojan. I have run and installed just about everything in order to clean this system. I still get those pop unders.....the ones that pop up when I don't have a browser open and the pop ups as well. I had stuff taking over my programs and automatically shutting down my Spy Doctor program. This stuff also took over my desktop...now the whole system is running slower. I am at my wits end!! Please help!!

Here is the latest HiJack This logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:50:31 PM, on 4/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starfall.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\windows\System32\tmpB.tmp.dll (file missing)
O2 - BHO: (no name) - {d4fd0bfa-3f67-458b-a1b2-74cea3146e79} - C:\windows\system32\deslib.dll
O2 - BHO: (no name) - {F35AE333-B646-4034-8A2F-D9F3EBDD8D95} - C:\Program Files\Messenger\holenu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\windows\jkhfca.dll",realset
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: deslib - C:\windows\SYSTEM32\deslib.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Any help is appreciated. Thank you!!

-Cassandra

#2
Kenny94

Posted 11 April 2007 - 06:41 AM

Member 1K

Member
1,595 posts

Hello hottiemom24 and welcome to the G2G HijackThis forum

and I must not have had enough protection on the computer!

We will add some protection like Windows XP Service Pack 2 and so forth when we are done.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* vundofix.txt
* HijackThis Uninstall List
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#3
hottiemom24

Posted 11 April 2007 - 07:51 AM

Member

Topic Starter
Member
42 posts

Thanks for the reply. I have run the Vundo twice...and it's given me nothing both times. Says that the system is clean. I should have list the various programs that I found on this computer that I have been uninstalling/cleaning.

Starware
Deluxe Communications
SurferBar
SurfSideKick
Winfixer?? Something that takes over your desktop and wants you to download 'fixes' that open it up
Broadcaster.com
Zedo
ConHook
BookedSpace
FakeAlert
SpyWareNo
Backdoor.Spyboter
Enbrowser
Email.Worm.Zhelatin
Trojan.Downloader.Small.BET

I will try running the Vundo again as you said. I will also post the logs that you asked. I just thought you needed more clarification. Thanks!

#4
Kenny94

Posted 11 April 2007 - 08:14 AM

Member 1K

Member
1,595 posts

Hello hottiemom24

Please read "ALL" of the instructions before proceeding:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.(if present):

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\windows\System32\tmpB.tmp.dll (file missing)
O2 - BHO: (no name) - {d4fd0bfa-3f67-458b-a1b2-74cea3146e79} - C:\windows\system32\deslib.dll
O20 - Winlogon Notify: deslib - C:\windows\SYSTEM32\deslib.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

And please post the Uninstall List from HijackThis that I ask for in my previous post.

In your next reply, please include these log(s):

*combofix
* HijackThis Uninstall List
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#5
hottiemom24

Posted 11 April 2007 - 07:53 PM

Member

Topic Starter
Member
42 posts

Ok, it's taken me all day to get the HiJack log below. This system keeps locking up, displaying pop unders and ups and having to be hard booted. Even typing this takes forever because the pop ups keep using my system resources. UGGGG!

I tried deleting the files in the HiJack log just as you said and closed everything else. However the deslib files keep coming back. I have 'fixed' them 4 times now! I ran the Vundo fix with windows up and it locked up. I ran it again in 'safe mode' and it said that there are no files found to delete. Below is the HiJack log and the Combo Fix log is coming. It's still running, but it takes so long to get anything done on this computer that I need to do it in parts. I know you wanted it all at once, but this is the only way to gt you everything you asked for. I get too frustrated on this computer when these stupid pop unders/ups from www.top-banners.com and some ads sites stop me every other word.

Logfile of HijackThis v1.99.1
Scan saved at 7:31:38 PM, on 4/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\HijackThis\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starfall.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {d4fd0bfa-3f67-458b-a1b2-74cea3146e79} - C:\windows\system32\deslib.dll
O2 - BHO: (no name) - {F35AE333-B646-4034-8A2F-D9F3EBDD8D95} - C:\Program Files\Messenger\holenu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\windows\jkhfca.dll",realset
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: deslib - C:\windows\SYSTEM32\deslib.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

The combo fix just gave me an error FINDSTR: Search string too long

I don't know what that means but I will let it run a little longer. Please don't answer me back till I posst the other stuff. I am ready to chuck this computer out the window.

#6
hottiemom24

Posted 11 April 2007 - 07:59 PM

Member

Topic Starter
Member
42 posts

Here is the uninstall list from HiJack This:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
CleanUp!
HijackThis 1.99.1
Macromedia Shockwave Player
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Prevx1
QuickTime
RegistryFix v3.0
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
Spy Sweeper for MSN
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Super Collapse!
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB890859
Yahoo! Anti-Spy
Yahoo! Toolbar for Internet Explorer

#7
hottiemom24

Posted 11 April 2007 - 08:26 PM

Member

Topic Starter
Member
42 posts

The combo fix program said that it was preparing the log file and to be patient that it takes awhile. So I went to get dinner started and came back to find like 20 popups sitting there and the combo program window closed. There are a bunch of different files on my desktop now though that weren't there before. Is this normal??

#8
hottiemom24

Posted 11 April 2007 - 08:28 PM

Member

Topic Starter
Member
42 posts

Ok, this log file popped up and I still see crap on there that all these other programs keeps missing!! Please tell me what to do now. Thanks so much!!

"Cassandra" - 07-04-11 19:36:34 Service Pack 1
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Cassandra\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\CASSAN~1\APPLIC~1\Dxcuknwrd.dll
C:\DOCUME~1\CASSAN~1\APPLIC~1\Dxcdmns.dll
C:\DOCUME~1\CASSAN~1\APPLIC~1\Dxccwrd.dll
C:\windows\updater.exe
C:\windows\system32\driverd.exe
C:\windows\system32\bund1\ClientBundle1.exe
C:\windows\system32\bund1\temp.txt
C:\windows\system32\vx.tll
C:\windows\system32\bund1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_MCHINJDRV

((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))

2007-04-11 19:37 106,767 --a------ C:\WINDOWS\rqrrqp.dll
2007-04-10 20:17 <DIR> d-------- C:\DOCUME~1\CASSAN~1\APPLIC~1\Prevx
2007-04-10 19:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-10 19:30 77,312 --a------ C:\WINDOWS\ua2.dll
2007-04-10 19:29 106,767 --------- C:\WINDOWS\jkhfca.dll
2007-04-10 19:28 13,700,728 --a------ C:\Program Files\SETUP.PREVX1.2.3.1.14.2K2K3XP.x86AMD64.exe
2007-04-10 19:20 <DIR> d-------- C:\!KillBox
2007-04-10 19:02 <DIR> d-------- C:\VundoFix Backups
2007-04-10 18:59 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-10 12:03 106,767 --a------ C:\WINDOWS\ljkkji.dll
2007-04-10 10:47 106,767 --a------ C:\WINDOWS\pmkiii.dll
2007-04-10 09:44 166,064 --a------ C:\Program Files\FixVundo.exe
2007-04-10 08:53 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-10 08:53 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-10 08:53 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-10 08:53 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-10 08:53 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-10 08:53 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-10 08:53 19,516,280 --a------ C:\Program Files\sdsetup.exe
2007-04-10 08:53 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-10 08:53 <DIR> d-------- C:\DOCUME~1\CASSAN~1\APPLIC~1\PC Tools
2007-04-10 08:52 251,392 --a------ C:\Program Files\hijackthis_sfx.exe
2007-04-09 21:24 78,336 --a------ C:\WINDOWS\system32\drivers\ssi.sys
2007-04-09 21:24 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2007-04-09 21:24 <DIR> d-------- C:\Program Files\RegistryFix
2007-04-09 21:24 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-09 21:23 <DIR> d-------- C:\Program Files\Webroot
2007-04-09 21:23 <DIR> d-------- C:\DOCUME~1\CASSAN~1\APPLIC~1\Webroot
2007-04-09 21:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-09 21:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-09 21:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-09 21:04 <DIR> d-------- C:\DOCUME~1\CASSAN~1\APPLIC~1\Lavasoft
2007-04-08 18:00 355 ---hs---- C:\WINDOWS\fhknmp.ini2
2007-04-08 17:56 <DIR> d--hs---- C:\FOUND.000
2007-04-08 17:53 89,230 --a------ C:\WINDOWS\mmn.exe
2007-04-08 17:53 270,336 --a------ C:\WINDOWS\pdp.exe
2007-04-08 16:56 89,391 --a------ C:\WINDOWS\TTC.exe
2007-04-08 16:56 105,434 --a------ C:\WINDOWS\VTTC.exe
2007-04-08 16:56 <DIR> d-------- C:\Program Files\DeskAlerts
2007-04-08 16:55 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-08 16:54 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-08 16:54 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-08 16:53 96,256 --a-s---- C:\WINDOWS\system32\monterreyd_a4m.exe
2007-04-07 02:56 106,767 --a------ C:\WINDOWS\pmnkhf.dll
2007-04-04 13:53 184,320 --a------ C:\WINDOWS\win3211-2142643172.exe
2007-04-03 17:05 53,248 --a------ C:\WINDOWS\111uninst.exe
2007-04-02 18:57 19,275 --a------ C:\WINDOWS\system32\deslib.dll
2007-03-21 06:53 340,936 --a------ C:\WINDOWS\funnies.exe
2007-03-17 15:58 57,104 --a------ C:\DOCUME~1\CASSAN~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-15 08:46 57,344 --a------ C:\WINDOWS\uni_eh10.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"
C:\ComboFix\aa.cf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pmnkhf"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\pmnkhf.dll\",realset"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="webbuying"
"hkey"="HKCU"
"command"="C:\\Program Files\\Web Buying\\v1.6.8\\webbuying.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3211-2142643172]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win3211-2142643172"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win3211-2142643172.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\deslib

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 20:15:58
C:\ComboFix-quarantined-files.txt ... 07-04-11 20:16

Edited by hottiemom24, 11 April 2007 - 08:39 PM.

#9
Kenny94

Posted 12 April 2007 - 05:17 AM

Member 1K

Member
1,595 posts

Hi hottiemom24
Your computer has a lot of infections. We'll try to work in safe mode as much as we can, because of the pop ups and system lock ups.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly in SAFE MODE.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\windows\jkhfca.dll
C:\windows\system32\deslib.dll
C:\WINDOWS\funnies.exe
C:\WINDOWS\ua2.dll
C:\WINDOWS\pdp.exe
C:\WINDOWS\VTTC.exe
C:\WINDOWS\system32\monterreyd_a4m.exe
C:\WINDOWS\pmnkhf.dll
C:\WINDOWS\win3211-2142643172.exe
C:\WINDOWS\uni_eh10.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Now we'll run AVG AntiSpyware in safe mode.

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning proccess:

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
Close AVG AntiSpyware and reboot your system back into Normal Mode.

In your next reply, please include these log(s):

* AVG AntiSpyware
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Edited by Kenny94, 12 April 2007 - 06:29 AM.

#10
hottiemom24

Posted 12 April 2007 - 11:07 AM

Member

Topic Starter
Member
42 posts

I ran everything as you said. I logged on to get to this site and sure enough got 3 pop ups. So I guess the system is not clean. However, it IS cleaner. I am at least able to type this without as many as yesterday!

Here is the log you asked for:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:52:14 AM 4/12/2007

+ Scan result:

C:\WINDOWS\system32\micro1\a1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\funnies.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\DeskAlerts\deskbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70B31F96-4D1E-4550-B36A-5CF977109160}\RP6\A0002045.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070410-184148-181.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070410-184148-862.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\a3.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\Documents and Settings\Cassandra\Local Settings\Temp\tmp1D.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\Documents and Settings\Cassandra\Local Settings\Temporary Internet Files\Content.IE5\4UTDDJ8J\CA6R0T67.php -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\updater.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70B31F96-4D1E-4550-B36A-5CF977109160}\RP6\A0002022.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\!KillBox\deslib.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070410-184148-488.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070411-191622-936.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070411-191731-536.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070411-193100-494.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070411-193159-994.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70B31F96-4D1E-4550-B36A-5CF977109160}\RP6\A0002044.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\WINDOWS\system32\micro1\win5.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70B31F96-4D1E-4550-B36A-5CF977109160}\RP3\A0001050.rbf -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\111uninst.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\Cassandra\Cookies\cassandra@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Cassandra\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Cassandra\Cookies\cassandra@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Cassandra\Cookies\cassandra@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Cassandra\Cookies\cassandra@adbrite[3].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Cassandra\Local Settings\Temp\tmp20.tmp.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Cassandra\Local Settings\Temporary Internet Files\Content.IE5\GP2RKTI3\vodka[1] -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\!KillBox\monterreyd_a4m.exe -> Trojan.Kolweb : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\system32\driverd.exe.vir -> Trojan.Kolweb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70B31F96-4D1E-4550-B36A-5CF977109160}\RP6\A0002023.exe -> Trojan.Kolweb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70B31F96-4D1E-4550-B36A-5CF977109160}\RP6\A0002049.exe -> Trojan.Kolweb : Cleaned with backup (quarantined).

::Report end

#11
Kenny94

Posted 12 April 2007 - 11:23 AM

Member 1K

Member
1,595 posts

Hello hottiemom24

I'm glad to hear your computer is better. We still have some work to do.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please post a HijackThis log (new)..

#12
hottiemom24

Posted 13 April 2007 - 12:46 AM

Member

Topic Starter
Member
42 posts

Hi there! I ran what you wanted and the ATF cleaned off the little stuff. I have that program Clean UP for that stuff though, so maybe I don't need this one?? Just wondering. I am still getting slowness, but I think it's in part from downloading so many programs to try to 'fix' this system! I need to get rid of some of them.
Anyway, when I opened this site to post this post, I got more pop ups. They are not actually showing on my system now except that I have the content advisor activated and it pops up the window asking me (over and over) if I want to display the page or not. I just hit cancel on all of them.

Here are the sites that they are from:

x.azjmp.com/0mwsk
www.find-52.com/oripre....
notebookbestprice.com
www.droppedurl.com/ms.....(twice)
onestoponlineshop.net/o/
ads.marketingsector.com
ads.zwoops.com/media/s....
inkjetclear.com

Here is the HJT log you asked for after running that last stuff:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:08 AM, on 4/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Hijack This.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F35AE333-B646-4034-8A2F-D9F3EBDD8D95} - C:\Program Files\Messenger\holenu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\windows\khecbx.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#13
Kenny94

Posted 13 April 2007 - 05:00 AM

Member 1K

Member
1,595 posts

Hi hottiemom24... :blink:

have that program Clean UP for that stuff though, so maybe I don't need this one??

Lets put this way. I've use Clean UP for years and I did enjoy the flushing sound, but it's know fact that Clean UP will hurt your computer! My son son uses ATF cleaner now, after Clean UP removed some game files.. :whistling:

Just wondering. I am still getting slowness, but I think it's in part from downloading so many programs to try to 'fix' this system! I need to get rid of some of them.

Yes you can remove them when we are done. The programs they are not active (other than AVG) they are just sitting there so, they are not causing any kind of "slowness" But your computer still has some infections. I'll give you a website after we are done that many members found very helpful to help speed up their computer. OK back to your computer.

Please double-click Killbox.exe to run it.
Select:

Delete on Reboot
then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\fhknmp
C:\WINDOWS\111uninst.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).[/list]
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Download VirtumundoBegone, place it on your desktop.

Doubleclick VirtumundoBeGone.exe to start the tool.
Follow the instructions on the screen.
Don't worry if you'll get a Blue screen with an error in it - this is normal.

After reboot,

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next reply, please include these log(s):

* ActiveScan report
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

#14
hottiemom24

Posted 13 April 2007 - 08:32 PM

Member

Topic Starter
Member
42 posts

Hi there,
I have done all the stuff you asked and the only issue I encountered was that when the Killbox was finished, it asked me to reboot, but then never did. I had to hard boot it manually.

I went through the ActiveScan stuff and it downloaded the stuff like you said. Then I get to the next page where you click on the My Computer and I have done it now 4 times. It just says there is an error on the page and it's not doing the scan! I am not sure why. I have closed the window and started all over a few times now. I can't figure out why it isn't working for me. I can't post the scan because it won't scan. :-( It's bugging me! So I don't know what to do next. I did do the Killbox thing and deleted the two files that you said. I also did the Virtumundobegone thing and it said it found nothing.

Let me know what you think

PS - I un-installed Clean Up on this computer and my own laptop as well. I downloaded that because it was recommended by a techie on Google's Answer board during one of my other computer issues. Thanks for the tip.

#15
Kenny94

Posted 14 April 2007 - 05:37 AM

Member 1K

Member
1,595 posts

Hi hottiemom24
We have another malware remover we'll run. We will remove some of the programs on your desktop when we are done. :whistling:

I can't post the scan because it won't scan. :-( It's bugging me! So I don't know what to do next.

This happens sometimes.

Please download SUPERAntiSpyware Home Edition (free version)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining.
- Please leave the others unchecked.
- Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
- After reboot, double-click the SUPERAntispyware icon on your desktop.
- Click Preferences. Click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- It will open in your default text editor (such as Notepad/Wordpad).
- Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Save the log information. And paste this info along with your HijackThis log.