I get this pop-up error "Can not find script C:\WINDOWS\system32\winjpg.jpg" whenever my comp boots or when my applications suddenly shuts down. I cannot access Run > Command and Task Manager. I followed the helper's first step by installing Combofix and now my Run > Command and task manger works, but I believe the virus is still within my computer.
I'm wondering if I should follow all the instructions from that post, or if I could skip a few steps to solve the problem effectively.
Here is my Combofix log after downloading the program.
ComboFix 09-08-18.01 - Ashley 08/19/2009 15:41.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1917.1400 [GMT 8:00]
Running from: c:\documents and settings\Ashley\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Debs\Application Data\ShoppingReport
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Debs\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
c:\documents and settings\Debs\Application Data\WeatherDPA
c:\documents and settings\Debs\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\windows\system32\AutoRun.inf
c:\windows\system32\kdfinj.dll
Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.
2009-08-15 00:19 . 2009-08-15 01:03 -------- d-----w- c:\program files\Electronic Arts
2009-08-13 00:49 . 2009-08-17 15:20 152576 ----a-w- c:\documents and settings\Ashley\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-08 04:29 . 2009-08-08 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo
2009-08-04 12:41 . 2009-08-04 12:41 -------- d-----w- c:\program files\psx emulation cheater
2009-07-29 03:11 . 2009-07-29 03:11 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-29 02:50 . 2008-10-16 06:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-29 02:50 . 2008-10-16 06:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-27 07:41 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Debs\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-25 11:03 . 2009-07-25 11:03 -------- d-----w- c:\documents and settings\Charles\Application Data\Yahoo!
2009-07-25 10:32 . 2009-07-25 10:32 -------- d-----w- c:\documents and settings\Debs\Application Data\Yahoo!
2009-07-23 08:00 . 2009-07-23 08:00 -------- d-----w- c:\documents and settings\Charles\Application Data\SogouPY.users
2009-07-23 08:00 . 2009-07-23 08:00 -------- d-----w- c:\documents and settings\Charles\Application Data\SogouPY
2009-07-22 04:28 . 2009-07-22 04:28 -------- d-----w- c:\documents and settings\Debs\Local Settings\Application Data\Grubby Games
2009-07-22 04:10 . 2009-08-08 04:20 -------- d-----w- c:\program files\Yahoo! Games
2009-07-21 08:00 . 2009-07-21 08:00 -------- d-----w- c:\documents and settings\Debs\Application Data\SogouPY.users
2009-07-21 08:00 . 2009-07-21 08:00 -------- d-----w- c:\documents and settings\Debs\Application Data\SogouPY
2009-07-20 13:32 . 2009-07-20 13:32 -------- d-----w- c:\program files\iPod
2009-07-20 13:31 . 2009-07-20 13:32 -------- d-----w- c:\program files\iTunes
2009-07-20 13:27 . 2009-07-20 13:27 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 07:48 . 2009-06-20 20:28 -------- d-----w- c:\program files\FlashGet
2009-08-19 06:59 . 2009-04-21 09:50 -------- d-----w- c:\documents and settings\Ashley\Application Data\SogouPY
2009-08-19 01:01 . 2009-05-17 10:36 141162 ----a-w- c:\windows\hpoins14.dat
2009-08-17 15:21 . 2009-02-03 12:30 -------- d-----w- c:\program files\Java
2009-08-15 06:52 . 2009-02-01 06:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 01:06 . 2009-05-30 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-08-04 12:41 . 2009-07-06 17:36 -------- d-----w- c:\program files\plugins
2009-08-02 01:13 . 2009-06-01 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-29 03:49 . 2009-02-22 07:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-28 15:49 . 2009-07-06 17:36 -------- d-----w- c:\program files\memcards
2009-07-24 21:23 . 2009-02-03 12:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 13:32 . 2009-02-08 11:43 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\program files\Gadwin Systems
2009-07-15 22:39 . 2009-04-21 09:50 -------- d-----w- c:\program files\SogouInput
2009-07-15 10:21 . 2009-02-18 16:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-12 20:18 . 2009-06-19 03:17 -------- d-----w- c:\program files\Bonjour
2009-07-12 03:04 . 2009-07-11 08:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-12 02:47 . 2009-07-11 08:57 -------- d-----w- c:\documents and settings\Debs\Application Data\PlayFirst
2009-07-12 02:47 . 2009-07-11 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-07-06 17:36 . 2009-07-06 17:36 -------- d-----w- c:\program files\sstates
2009-07-06 17:36 . 2009-07-06 17:36 -------- d-----w- c:\program files\snap
2009-07-06 17:36 . 2009-07-06 17:36 -------- d-----w- c:\program files\patches
2009-07-06 17:36 . 2009-07-06 17:36 -------- d-----w- c:\program files\docs
2009-07-06 17:36 . 2009-07-06 17:36 -------- d-----w- c:\program files\cheats
2009-07-06 17:36 . 2009-07-06 17:36 -------- d-----w- c:\program files\bios
2009-07-06 17:33 . 2009-06-06 17:55 2316034 ----a-w- c:\program files\epsxe170.zip
2009-07-06 07:04 . 2009-02-08 11:27 73752 ----a-w- c:\documents and settings\Debs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 06:16 . 2009-07-06 06:16 -------- d-----w- c:\documents and settings\Ashley\Application Data\HP
2009-07-06 06:11 . 2009-02-02 11:11 73752 ----a-w- c:\documents and settings\Ashley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 05:42 . 2009-02-09 07:16 73752 ----a-w- c:\documents and settings\Charles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 05:38 . 2009-07-05 20:43 -------- d-----w- c:\program files\Microsoft Works
2009-07-06 05:36 . 2009-07-06 05:24 -------- d-----w- c:\documents and settings\Debs\Application Data\GetRightToGo
2009-07-05 21:39 . 2009-06-01 02:54 -------- d-----w- c:\documents and settings\Ashley\Application Data\GetRightToGo
2009-06-29 16:12 . 2008-04-23 00:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-07-12 19:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-07-12 19:09 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-28 14:35 . 2009-06-28 14:35 -------- d-----r- c:\documents and settings\Debs\Application Data\Brother
2009-06-22 14:51 . 2009-06-22 14:51 -------- d-----w- c:\program files\Gamania
2009-06-21 15:23 . 2009-06-21 15:23 -------- d-----w- c:\program files\Common Files\DirectX
2009-06-21 15:00 . 2009-02-01 05:43 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-20 18:40 . 2009-05-13 14:00 -------- d-----w- c:\program files\Furcadia
2009-06-20 18:30 . 2009-06-20 18:29 179788232 ----a-w- c:\program files\BrightShadow_414.exe
2009-06-20 17:46 . 2009-06-20 17:44 212480248 ----a-w- c:\program files\HolyBeastONLINE_EN090602.exe
2009-06-20 16:54 . 2009-02-01 08:03 -------- d-----w- c:\program files\Microsoft
2009-06-17 18:53 . 2009-06-17 18:53 152576 ----a-w- c:\documents and settings\Ashley\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-16 14:36 . 2008-04-14 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-04-14 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 03:42 . 2009-03-14 04:34 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 03:42 . 2009-02-08 11:44 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-04 10:30 . 2009-06-04 10:30 10134 ----a-r- c:\documents and settings\Debs\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-03 19:12 . 2008-07-12 19:09 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-02-17 06:19 . 2009-07-06 18:06 2082 ----a-w- c:\program files\readme.txt
2008-05-24 07:24 . 2009-07-06 17:37 275456 ----a-w- c:\program files\ePSXe.exe
2005-05-08 09:56 . 2009-07-06 18:06 55808 ----a-w- c:\program files\zlib1.dll
2002-05-05 16:08 . 2009-07-06 17:36 92662 ----a-w- c:\program files\epsxe.chm
2001-02-08 12:11 . 2009-07-06 17:36 28672 ----a-w- c:\program files\burutter.dll
.
------- Sigcheck -------
[-] 2008-07-12 19:20 1614848 362BC5AF8EAF712832C58CC13AE05750 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-10-11 1826816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
c:\documents and settings\Debs\Start Menu\Programs\Startup\
MP3 Rocket (Minimized).lnk - c:\program files\MP3 Rocket\MP3Rocket.exe [2008-2-21 116224]
c:\documents and settings\Ashley\Start Menu\Programs\Startup\
MP3 Rocket (Minimized).lnk - c:\program files\MP3 Rocket\MP3Rocket.exe [2008-2-21 116224]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29101:TCP"= 29101:TCP:???? ??
"29102:TCP"= 29102:TCP:???? ??
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2/1/2009 2:01 PM 13696]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/22/2009 3:45 PM 55152]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [5/12/2009 2:51 PM 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [5/12/2009 2:51 PM 79104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5F598524-568E-802C-59D7-34B26DB51EAF}]
c:\windows\system32\winxp.exe
.
Contents of the 'Scheduled Tasks' folder
2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-08-18 c:\windows\Tasks\SogouImeMgr.job
- c:\progra~1\SOGOUI~1\423~1.281\PinyinRepair.exe [2009-07-06 08:55]
2009-08-19 c:\windows\Tasks\User_Feed_Synchronization-{A600F662-668F-432A-A6A8-9B5A01B729BA}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 19:10]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ggfgggggfgfggf - c:\windows\system32\winxp.exe
HKLM-Run-regdiit - c:\windows\system32\winxp.exe
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {8768D5EA-5412-4810-A032-09AD2A726C69} - hxxp://bgweb.nowcdn.co.kr/Bin/DownStarter2.cab
DPF: {8F60EE6F-DC53-4F9C-9E66-84BD2A545805} - hxxp://hb.getamped.com/start/CsLauncher.cab
DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} - hxxps://gash.gamania.co.jp/acxauth/cab/1_2_40/lcjggame.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 15:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ggfgggggfgfggf = c:\windows\system32\winxp.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\HP\Smart Web Printing\hpswp_clipbook.exe
c:\program files\Windows Live\Toolbar\wltuser.exe
.
**************************************************************************
.
Completion time: 2009-08-19 15:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 07:54
Pre-Run: 199,634,796,544 bytes free
Post-Run: 204,640,673,792 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
245 --- E O F --- 2009-07-29 03:12
Any help will be appreciated. I have Avira Anti-virus which always scanned for 22 warnings but even moving it to quarantine does not help stop these 22 warnings from appearing.
Sign In
Create Account
