Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HiJackThis log (Please Help) My computer some how got slower :( [RE


  • This topic is locked This topic is locked

#16
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Hold on slow down here, what Notepad? Notepad from what?
Sorry for the inconvenience
  • 0

Advertisements


#17
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Sorry, to open Notepad, please do the following..


Please go to Start >> Run >> copy/paste below in the Run box >> press Enter

Notepad.exe

And then just do my previous instruction :)
  • 0

#18
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ok I got that pasted in the Notepad, now what do I do?
  • 0

#19
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok, after you copy/paste the script into Notepad, just do these steps..


1. Save it as CFScript.txt on your Desktop

2. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

3. Just let ComboFix do the job, and post the log here. If ComboFix need to restart your computer, just let it do that :)
  • 0

#20
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ohh wait a minute hold on, so what is this CFScript.txt now? and where do I get that at now? sorry but you didn't tell me about that yet. I'm sorry, but I wanna make sure we get past a step successfully before I start doing anything I don't know about, because you can never be too careful :)

Edited by wrecklesskane, 29 May 2008 - 04:03 PM.

  • 0

#21
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Its okay.. it's better be safe than sorry.. :)

Let we see the step again..

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.



2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
netpker
SkServer
Explorer
radsrver
ljutep
servicess

File::
C:\WINNT\eraseme_02186.exe
C:\WINNT\eraseme_37006.exe
C:\WINNT\eraseme_42841.exe
C:\WINNT\eraseme_45822.exe
C:\WINNT\system32\eraseme_02186.exe
C:\WINNT\system32\eraseme_42841.exe
C:\WINNT\system32\config\sy.exe
C:\alexamw.exe
c:\aa.exe
C:\WINNT\system32\config\svchost.exe
C:\WINNT\web\related.htm
D:\Autorun.exe
c:\winnt\system32\nrtyxo.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\D]





3. After copy/paste it into the Notepad, please click on File >> Save As..
  • A Save As window will appear
  • At Save in: box, please put Desktop
  • At File name: please name it as CFScript
  • At Save as type: please put Text Documents (*.txt)
  • Then, click on Save button. You should now have a CFScript file on your Desktop.




4. Then drag the CFScript into ComboFix as depicted in the animation below. This will start ComboFix again.

Posted Image




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#22
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ok there we go now, mission success, by the way sorry for the late response, but it took about fifteen minutes for the ComboFix to do it's thing, but we're good now.. Ok so here are both of the logs that you wanted :)





ComboFix 08-05-28.4 - Administrator 05/29/2008 17:38:44.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.154 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\aa.exe
C:\alexamw.exe
C:\WINNT\eraseme_02186.exe
C:\WINNT\eraseme_37006.exe
C:\WINNT\eraseme_42841.exe
C:\WINNT\eraseme_45822.exe
C:\WINNT\system32\config\svchost.exe
C:\WINNT\system32\config\sy.exe
C:\WINNT\system32\eraseme_02186.exe
C:\WINNT\system32\eraseme_42841.exe
c:\winnt\system32\nrtyxo.dll
C:\WINNT\web\related.htm
D:\Autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\aa.exe
C:\alexamw.exe
C:\WINNT\eraseme_02186.exe
C:\WINNT\eraseme_37006.exe
C:\WINNT\eraseme_42841.exe
C:\WINNT\eraseme_45822.exe
C:\WINNT\system32\config\sy.exe
C:\WINNT\system32\eraseme_02186.exe
C:\WINNT\system32\eraseme_42841.exe
c:\winnt\system32\nrtyxo.dll
D:\Autorun.exe . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXPLORER
-------\Legacy_LJUTEP
-------\Legacy_NETPKER
-------\Legacy_RADSRVER
-------\Legacy_SERVICESS
-------\Legacy_SKSERVER
-------\Service_Explorer
-------\Service_ljutep
-------\Service_netpker
-------\Service_radsrver
-------\Service_servicess
-------\Service_SkServer


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 04:49 . 08-05-29 04:49 <DIR> d-------- C:\Deckard
2008-05-26 04:18 . 08-05-26 04:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 03:47 . 08-05-26 03:47 45 --a------ C:\WINNT\system32\RPVersion.ini
2008-05-26 03:43 . 08-05-26 03:45 <DIR> d-------- C:\Program Files\RegistryPatrol3.0
2008-05-26 03:43 . 99-12-17 22:43 86,016 --a------ C:\WINNT\unvise32.exe
2008-05-19 00:48 . 08-04-29 13:14 208,896 --a------ C:\WINNT\system32\ConTest.dll
2008-05-19 00:48 . 07-07-03 11:48 20,480 --a------ C:\WINNT\system32\SysRestore.dll
2008-05-17 21:53 . 08-05-17 21:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-05-05 02:45 . 08-02-22 02:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-05-05 02:44 . 08-05-05 02:45 <DIR> d-------- C:\Program Files\Java
2008-05-05 01:12 . 08-05-05 01:13 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 03:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 07:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-24 07:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-04-02 22:11 --------- d-----w C:\Program Files\Google
2008-04-02 03:54 --------- d-----w C:\Program Files\Adaptec
2008-03-29 19:13 1 ---h--w C:\Boots.sys
2006-12-15 13:43 271 ------w C:\Program Files\desktop.ini
2006-12-15 13:43 21,952 ------w C:\Program Files\folder.htt
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((( [email protected] 05-29-2008_ 8.39.04.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINNT\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkeyz"="c:\program files\skynergy\hotkeyz\hotkeyz.exe" [06-11-21 12:05 837632]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [08-04-02 18:11 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]
"Tweak UI"="TWEAKUI.CPL" [00-06-18 14:03 106544 C:\WINNT\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [08-04-02 18:11 171448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640]
"FlashPlayerUpdate"="C:\WINNT\system32\Macromed\Flash\GetFlash.exe" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
O_EOI.txt [2008-03-29 15:13:54 51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
Mozilla Firefox (Safe Mode).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2008-04-23 15:35:49 7660656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoViewContextMenu"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoFind"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 08:22 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ljutep REG_MULTI_SZ ljutep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
servicess

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 07:30:00 C:\WINNT\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 17:43:53
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 17:48:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 21:47:59
ComboFix2.txt 2008-05-29 12:39:29

Pre-Run: 4,025,487,360 bytes free
Post-Run: 4,206,706,688 bytes free

245 --- E O F --- 2008-05-29 12:21:58







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:22 PM, on 5/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 4408 bytes

Edited by wrecklesskane, 29 May 2008 - 06:07 PM.

  • 0

#23
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Now, lets do the following..


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download from Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Don't worry if you do not have any flashdrive.. Just download and run it ok :)




NEXT


Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\Boots.sys
  • Click on the submit button
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




Please post the following in your next reply..

1. Jotti/VirusTotal result
2. A fresh Deckard System Scanner log (after Jotti step)


Regards
fenzodahl512
  • 0

#24
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ok I did the HiJackthis step. But about that Flash_Disinfector by sUBs, well we can't proceed with that because I don't have the flash drive to plug in, sorry :)
And thanks for all your help, I think we're getting closer and closer to getting this :)

Edited by wrecklesskane, 29 May 2008 - 07:15 PM.

  • 0

#25
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. I believe you have misunderstood me.. Don't worry if you don't have any flashdrive.. Just run Flash Disinfector.. and then proceed with Jotti steps..


After it says Done!, you are good to go to Jotti step :)


I'm quite sleepy now.. Need some rest.. So, I'll be back tomorrow :)

Edited by fenzodahl512, 29 May 2008 - 07:23 PM.

  • 0

Advertisements


#26
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ohh ok then see you tomorrow and hopefully we should have it solved, anyways have a good rest fenzodahl512, bye bye :)

Edited by wrecklesskane, 29 May 2008 - 07:33 PM.

  • 0

#27
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Thanks mate.. see you tomorrow :)
  • 0

#28
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ok here are the scanner results for "Jotti's malware scan" and a fresh Deckard System Scanner log (after Jotti step)




Scanner results
Scan taken on 30 May 2008 01:53:04 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing










Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-29 21:02:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:59 PM, on 5/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 4051 bytes

-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 12:25:37 0 drahs---- C:\autorun.inf
2008-05-29 08:34:57 68096 --a------ C:\WINNT\zip.exe
2008-05-29 08:34:57 49152 --a------ C:\WINNT\VFind.exe
2008-05-29 08:34:57 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-29 08:34:57 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-29 08:34:57 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-29 08:34:57 98816 --a------ C:\WINNT\sed.exe
2008-05-29 08:34:57 80412 --a------ C:\WINNT\grep.exe
2008-05-29 08:34:57 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-26 04:18:30 0 d-------- C:\Program Files\Trend Micro
2008-05-26 03:43:26 86016 --a------ C:\WINNT\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-26 03:43:11 0 d-------- C:\Program Files\RegistryPatrol3.0
2008-05-19 00:48:20 20480 --a------ C:\WINNT\system32\SysRestore.dll <Not Verified; Ascentive LLC; prjSysRestore>
2008-05-19 00:48:19 208896 --a------ C:\WINNT\system32\ConTest.dll <Not Verified; Ascentive; ConnectionTester>
2008-05-17 21:53:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-05-05 02:44:25 0 d-------- C:\Program Files\Java
2008-05-05 01:12:59 0 d--h---c- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$


-- Find3M Report ---------------------------------------------------------------

2008-05-28 16:01:15 837030 ---h----- C:\WINNT\ShellIconCache
2008-05-23 23:07:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 03:10:23 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-28 05:16:01 1160 --a------ C:\WINNT\mozver.dat
2008-04-24 03:53:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-04-23 15:36:09 0 --a------ C:\WINNT\nsreg.dat
2008-04-23 15:36:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-03 01:28:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-03 01:27:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 18:11:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-02 18:11:35 0 d-------- C:\Program Files\Google
2008-04-01 23:54:35 0 d-------- C:\Program Files\Adaptec
2008-04-01 23:41:36 0 d-a------ C:\Program Files\Common Files
2008-03-29 15:13:54 1 ---h----- C:\Boots.sys
2008-03-26 08:45:59 1728512 --a------ C:\WINNT\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 02:03p C:\WINNT\system32\TWEAKUI.CPL]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkeyz"="c:\program files\skynergy\hotkeyz\hotkeyz.exe" [11/21/06 12:05p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"FlashPlayerUpdate"=C:\WINNT\system32\Macromed\Flash\GetFlash.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"HideLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"HideLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"RestrictCpl"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"RestrictRun"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoCustomizeWebView"=0 (0x0)
"NoFileMenu"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoWebView"=0 (0x0)
"DontShowSuperHidden"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoHelp"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoCommonGroups"=1 (0x1)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoDisconnect"=0 (0x0)
"NoNtSecurity"=0 (0x0)
"GreyMSIAds"=0 (0x0)
"ForceMaxRecentDocs"=0 (0x0)
"NoStartBanner"=00000000
"NoFileUrl"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoExpandedNewMenu"=0 (0x0)
"SpecifyDefaultButtons"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRunasInstallPrompt"=0 (0x0)
"PromptRunasInstallNetPath"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoDevMgrUpdate"=0 (0x0)
"ForceCopyAclwithFile"=0 (0x0)
"StartRunNoHOMEPATH"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"0?"=mobsync.exe
"1?"=jusched.exe
"2?"=rundll32.exe
"3?"=newadmin.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"RestrictCpl"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"RestrictRun"=0 (0x0)
"DisallowRun"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoCustomizeWebView"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoWebView"=0 (0x0)
"DontShowSuperHidden"=0 (0x0)
"NoRun"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoHelp"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFind"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoDisconnect"=0 (0x0)
"NoNtSecurity"=0 (0x0)
"NoSetFolders"=0 (0x0)
"GreyMSIAds"=0 (0x0)
"ForceMaxRecentDocs"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoStartBanner"=00000000
"NoActiveDesktopChanges"=0 (0x0)
"NoFileUrl"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoExpandedNewMenu"=0 (0x0)
"SpecifyDefaultButtons"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRunasInstallPrompt"=0 (0x0)
"PromptRunasInstallNetPath"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoDevMgrUpdate"=0 (0x0)
"ForceCopyAclwithFile"=0 (0x0)
"StartRunNoHOMEPATH"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"0?"=mobsync.exe
"1?"=jusched.exe
"2?"=rundll32.exe
"3?"=newadmin.exe
"4?"=icwconn1.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ljutep ljutep

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
servicess

*Newly Created Service* - IPNAT
*Newly Created Service* - PSEXESVC
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS



-- End of Deckard's System Scanner: finished at 2008-05-29 21:03:27 ------------
  • 0

#29
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Lets do the following..


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.

Note: Please do not fix the Green entry if you have set it intentionally.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"ljutep"=-

NetSvc::
servicess

File::
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O_EOI.txt

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Regards
fenzodahl512
  • 0

#30
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Good morning fenzodahl512, :)

Ok one question before I proceed with the HiJackThis step, what do I do with the green lettered links? Do I check them for fixing too or what? :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP