[JSntgRvr]

Still spawning:

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

File::C:\WINDOWS\Tasks\Pareto UNS.jobFolder::C:\Program Files\Common Files\ParetoLogicRegistry::[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk][-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

Once saved, referring to the picture above, drag CFScript.txt into MyPoppy.exe, and post back the resulting report along with a Hijackthis log..

[Advertisements]

Afterwards run DSS once again. Post the Main.txt. It should provide us with a Hijackthis log.

[JSntgRvr]

Afterwards run DSS once again. Post the Main.txt. It should provide us with a Hijackthis log.

[Linda68]

Here is the new combofix file
Hijackthis still wouldn't run. It was renamed to HJT.exe somewhere down the line.
Still received win32 app error

Attached Files

•  ComboFix.txt   8.05KB   152 downloads

[Linda68]

Sorry, missed the second part of your message. I'm running it now ...

[Linda68]

You've got a lot of neat tricks up your sleeve

Attached Files

•  main.txt   11.89KB   232 downloads

[JSntgRvr]

Go to Virus Total here:

http://www.virustotal.com/


Scan the following files:

C:\WINDOWS\system32\drivers\hpt3xx.sys
C:\WINDOWS\system32\drivers\hptpro.sys

Post the results in your next reply.

Set Explorer to view Hidden files and folders. Remove the following folders:

C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

I'll be checking on this topic in the AM. Don't use the computer until we have this sorted-out.

Thanks and Good Night.

[Linda68]

Good Morning
The docs are attached ...

Attached Files

•  File_hpt3xx.doc   48KB   16 downloads
•  File_hptpro.doc   75KB   26 downloads

[Linda68]

Hello,
I DO want you to know that on my infected desktop "Hidden Files and Folders" does not exist on Tools - Folder Options View tab. I do see it on my laptop. Looks like the spyware / virus may have effected this.

I went to DOS and was able to delete everything EXCEPT the paretologic anti-spyware folder. But the subdirs and files have been deleted. Superantispyware was no problem to delete.

I have to step out for about an hour and a half. I will return ...

Thanks Much!
Linda

[JSntgRvr]

Hi, Linda68

Hijackthis still wouldn't run. It was renamed to HJT.exe somewhere down the line.

Right link on the Hijackthis icon, it should be a shortcut. Select Properties. Post its Target and the Start in Infomation



If other than "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe", have that target scanned as VirusTotal. Also look in the C:\Program Files\Trend Micro\HijackThis folder and look if the original Hijackthis.exe still be in the folder. If the trojan copied itself as HJT.exe, chances are the original file still in the folder. Have also HJT.exe scanned if different from the target. Post these results.

Just noticed you ran Hijackthis from your desktop:

C:\Documents and Settings\Linda Kristina\Desktop\HiJackThis.exe

Where did you download Hijackthis from?(This information is important) Have this file scanned, whether renamed HJT.exe or Hijackthis.exe. If the results are positive, have this file uploaded at:

http://www.bleepingc...e.php?channel=4

Leave a link to this topic.

Follow the instructions above as they may apply, even if striked out.

• After performing the above steps, remove Hijackthis and its folder under Program Files (Trend Micro) (if applies). It puzzles me it was renamed HJT.exe along the line without any help on your part. Perhaps is the culprit for having this trojan spawning.
• Run MyPoppy.exe once again to find out if it has spawned again and post its report..
• Run the SafeBootKeyRepair.exe by sUBs as requested on Post #2. That should take care of the Safe Boot key. Test and let me know

Do not reinstall Hijackthis.

[Linda68]

Hi, I'm back
The first scan showed the DOC file I left for you at bleeping. I am reanalysing it and there is a report that it is generating. I will put this up on the site when it is finished. I will then complete the rest of your requests. On the second analysis, I do see a worm.huhk.a and a suspicious trojan/worm in red already in the report.

[Linda68]

The reanalysis is also posted ...

[JSntgRvr]

Thanks for the document. But what I need uploaded to BC in the file itself. Are you still have it? Perhaps in the Recycle Bin?

[Linda68]

Combofix is attached as well as the safeboot_repair. Nothing out of the ordinary happened with safebootkeyrepair.

Don't be puzzled, I mentioned back on page one that I changed the hijackthis executable before we even started communicating because I did a lot of research on my problem before contacting this website. The file never worked either way "hijackthis.exe" or "hjt.exe"

We're getting close!!

Attached Files

•  ComboFix.txt   9.27KB   137 downloads
•  SAFEBOOT_REPAIR.TXT   13.5KB   154 downloads

[JSntgRvr]

Still spawning. See post 57

[Linda68]

Oh NO, I misread, it has been removed...out of the recycle bin too.