Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Red icon with white cross in taskbar [CLOSED]


  • This topic is locked This topic is locked

#1
StevenRei160

StevenRei160

    New Member

  • Member
  • Pip
  • 1 posts
Hi, well that blasted icon and a fake antivirus software infected my PC. I took out Bravesentry with SmitRem (which I highly recommend) but cannot take out the icon. Here is my HijackThis log file. I hope you can help me and will highly appreciate help whether the results are good or not.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37:36, on 2008-7-6
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\conime.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Handpad\mynewpad.exe
D:\KAV6\KpopMon.EXE
D:\KAV6\KWatchUI.EXE
D:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
D:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
D:\WINDOWS\VM_STI.EXE
D:\KAV6\MailMon.EXE
D:\WINDOWS\services.exe
D:\WINDOWS\System32\winds32.exe
D:\KAV6\KAVPlus.EXE
D:\Program Files\D-Link\DSL-200\CnxDslTb.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Documents and Settings\LocalService\svchost.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\AdVantage\AdVantage.exe
D:\WINDOWS\msvecurity.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\msssecurity.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\gadmei\TV Plus 3.0\TVR 2.0\ScheduleTV.exe
D:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ctfmon.exe
D:\Program Files\CncimAdsl\CNCIM.exe
D:\WINDOWS\System32\dflgh8jkd2q2.exe
D:\WINDOWS\System32\dflgh8jkd2q6.exe
D:\WINDOWS\System32\dflgh8jkd2q7.exe
D:\WINDOWS\System32\dflgh8jkd2q5.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\drivers\services.exe
O2 - BHO: QuickTalk 2.1 - {A34FA88D-8437-4634-8A60-E913011EF2E5} - D:\DOCUME~1\LOCALS~1\APPLIC~1\sp1\qaccess.dll
O2 - BHO: IE_ADS Helper Object - {F8E2D735-5D21-4B00-B6DE-D82ED0CA8B63} - D:\WINDOWS\System32\yg.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 金山毒霸 - {A9BE2902-C447-420A-BB7F-A5DE921E6138} - D:\KAV6\KAIEPlus.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [mynewpad] D:\Program Files\Handpad\mynewpad.exe
O4 - HKLM\..\Run: [KAVRun] D:\KAV6\KAVRun.EXE
O4 - HKLM\..\Run: [Kulansyn] D:\KAV6\Kulansyn.EXE
O4 - HKLM\..\Run: [KpopMon] D:\KAV6\KpopMon.EXE
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe D:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [MS-4011 Memory Patch] D:\Documents and Settings\Administrator\桌面\RavSasser.exe -Patch
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [YLive.exe] D:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "D:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [BigDogPath] D:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [runservices] D:\WINDOWS\services.exe
O4 - HKLM\..\Run: [[system]] D:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [Handpad] D:\WINDOWS\japi.exe
O4 - HKLM\..\Run: [System32] D:\WINDOWS\System32\winds32.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "D:\Program Files\D-Link\DSL-200\CnxDslTb.exe"
O4 - HKLM\..\Run: [winlogon] D:\Documents and Settings\Administrator\svchost.exe
O4 - HKLM\..\Run: [DriveSystem] D:\WINDOWS\System32\maxpaynowti1.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [AdVantage] "D:\Program Files\AdVantage\AdVantage.exe"
O4 - HKCU\..\Run: [[system]] D:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [msvecurity] D:\WINDOWS\msvecurity.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msssecurity] D:\WINDOWS\msssecurity.exe
O4 - HKCU\..\Run: [winlogon] D:\Documents and Settings\Administrator\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [fci] D:\WINDOWS\System32\fci.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] D:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ctfmon.exe
O4 - Startup: 灵信宽带版.lnk = D:\Program Files\CncimAdsl\CNCIM.exe
O4 - Startup: userinit.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Schedule TV.lnk = D:\Program Files\gadmei\TV Plus 3.0\TVR 2.0\ScheduleTV.exe
O8 - Extra context menu item: Easy-WebPrint打印 - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint添加到打印列表 - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint预览 - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint高速打印 - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Save解霸实时播放 - C:\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 解霸实时播放 - C:\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: 雅虎搜索 - res://D:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll/246
O9 - Extra button: 解霸 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra 'Tools' menuitem: 超级解霸 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: 名品折扣 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - f:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - f:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: 金山毒霸网站 - {e1fc9760-7b95-49cd-80b9-8c9e41017b93} - url:http://www.duba.net (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: 在线查毒 - {f58d36c3-40be-4418-a786-d8fbe3eb3554} - D:\KAV6\kavie.HTM
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O11 - Options group: [!CNS] 中文上网
O15 - Trusted Zone: http://*.221.208.242.29
O15 - Trusted Zone: http://*.221.208.250.138
O15 - Trusted Zone: http://*.cncmax.cn
O15 - Trusted Zone: http://*.cncmax.hl.cn
O15 - Trusted Zone: http://*.cncmax.tj.cn
O15 - Trusted Zone: http://*.passport.cncmax.cn
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc....afeControls.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: crypt - D:\WINDOWS\SYSTEM32\crypts.dll
O21 - SSODL: qegbdmwf - {5E193337-7FE4-462D-9C78-AA6DC64A52AB} - D:\WINDOWS\qegbdmwf.dll (file missing)
O21 - SSODL: pntqkflv - {DAABD73A-5B76-4B19-A33C-7C34DD413764} - D:\WINDOWS\pntqkflv.dll (file missing)
O23 - Service: AppMgmt - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: AudioSrv - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: BITS - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: CcEvtSvc - Unknown owner - D:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: CiSvc - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ClipSrv - Unknown owner - D:\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: FCI - Unknown owner - D:\WINDOWS\System32\fci.exe
O23 - Service: gusvc - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: ImapiService - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: InCDsrv - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: InCDsrvR - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: KAVSvc - Unknown owner - D:\KAV6\KAVSvc.EXE (file missing)
O23 - Service: LPTRDCsrv - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: RasMan - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - D:\WINDOWS\system32\drivers\services.exe

--
End of file - 11734 bytes
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi lots to play with here, a very nice mixture if I say so myself

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


So lets try and clean you up

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {BB936323-19FA-4521-BA29-ECA6A121BC78} - (no file)
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe D:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [runservices] D:\WINDOWS\services.exe
O4 - HKLM\..\Run: [[system]] D:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [System32] D:\WINDOWS\System32\winds32.exe
O4 - HKLM\..\Run: [winlogon] D:\Documents and Settings\Administrator\svchost.exe
O4 - HKLM\..\Run: [DriveSystem] D:\WINDOWS\System32\maxpaynowti1.exe
O4 - HKCU\..\Run: [AdVantage] "D:\Program Files\AdVantage\AdVantage.exe"
O4 - HKCU\..\Run: [[system]] D:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [msvecurity] D:\WINDOWS\msvecurity.exe
O4 - HKCU\..\Run: [msssecurity] D:\WINDOWS\msssecurity.exe
O4 - HKCU\..\Run: [winlogon] D:\Documents and Settings\Administrator\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [fci] D:\WINDOWS\System32\fci.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] D:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - Startup: ctfmon.exe
O4 - Startup: 灵信宽带版.lnk = D:\Program Files\CncimAdsl\CNCIM.exe
O4 - Startup: userinit.exe
O20 - Winlogon Notify: crypt - D:\WINDOWS\SYSTEM32\crypts.dll
O21 - SSODL: qegbdmwf - {5E193337-7FE4-462D-9C78-AA6DC64A52AB} - D:\WINDOWS\qegbdmwf.dll (file missing)
O21 - SSODL: pntqkflv - {DAABD73A-5B76-4B19-A33C-7C34DD413764} - D:\WINDOWS\pntqkflv.dll (file missing)
O23 - Service: AppMgmt - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: AudioSrv - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: BITS - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: CcEvtSvc - Unknown owner - D:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: FCI - Unknown owner - D:\WINDOWS\System32\fci.exe
O23 - Service: gusvc - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: ImapiService - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: LPTRDCsrv - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: RasMan - Unknown owner - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - D:\WINDOWS\system32\drivers\services.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

@echo off
sc stop AppMgm
sc delete AppMgm
sc stop AudioSrv
sc delete AudioSrv
sc stop BITS
sc delete BITS
sc stop CcEvtSvc
sc delete CcEvtSvc
sc stop FCI
sc delete FCI
sc stop gusvc
sc delete gusvc
sc stop ImapiService
sc delete ImapiService
sc stop LPTRDCsrv
sc delete LPTRDCsrv
sc stop RasMan
sc delete RasMan
sc stop Task Scheduler
sc delete Task Scheduler
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file Posted Image

Then run fix.bat by double clicking you may see a black box appear this is normal

NEXT

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    D:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ctfmon.exe
    D:\Program Files\CncimAdsl\CNCIM.exe
    D:\WINDOWS\System32\dflgh8jkd2q2.exe
    D:\WINDOWS\System32\dflgh8jkd2q6.exe
    D:\WINDOWS\System32\dflgh8jkd2q7.exe
    D:\WINDOWS\System32\dflgh8jkd2q5.exe
    D:\WINDOWS\system32\drivers\services.exe
    D:\WINDOWS\DOWNLO~1\CnsMin.dll
    D:\WINDOWS\services.exe
    D:\WINDOWS\system32\drivers\services.exe
    D:\WINDOWS\System32\winds32.exe
    D:\Documents and Settings\Administrator\svchost.exe
    D:\WINDOWS\System32\maxpaynowti1.exe
    D:\Program Files\AdVantage
    D:\WINDOWS\msvecurity.exe
    D:\WINDOWS\msssecurity.exe
    C:\Windows\xpupdate.exe
    D:\WINDOWS\System32\fci.exe 
    D:\Documents and Settings\LocalService\svchost.exe 
    D:\Program Files\CncimAdsl
    D:\WINDOWS\SYSTEM32\crypts.dll
    D:\WINDOWS\qegbdmwf.dll 
    D:\WINDOWS\pntqkflv.dll
    D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0.EXE 
    D:\WINDOWS\System32\CcEvtSvc.exe
    D:\WINDOWS\System32\fci.exe
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Logs required : OTMoveit and Combofix
  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP