Results 1 to 10 of 10
  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    5
    Points
    0

    Default Computer infected with Worm.Win32.Netsky!

    Please help. My computer was infected with this worm last night. I tried following instructions on how to fix this problem from other postings, but my HijackThis log file seems to be slightly different.

    Could someone please help me interpret these results, and tell me what to do next. Thank you so much for your time and help.

    ****************************************


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:25:24 PM, on 1/20/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: SXG Advisor - {B0F2B740-1E56-450F-93FE-C23419DEC7C6} - C:\WINDOWS\dopfwrltfx.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: The egodktf - {82EA267C-402D-4DB6-A2B8-EBF03D385CC1} - C:\WINDOWS\egodktf.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [hope soap 1 else] C:\Documents and Settings\All Users\Application Data\greyacehopesoap\Loud meal.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [plan axis bib barb] C:\Documents and Settings\All Users\Application Data\ErrorGreatPlanAxis\blehmemo.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Build Obj] C:\DOCUME~1\Steve\APPLIC~1\CURBBO~1\OptionBlah.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175388657999
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175388643389
    O21 - SSODL: bxsnvqt - {D23DC16A-4620-4E77-8D65-706A046A912D} - C:\WINDOWS\bxsnvqt.dll
    O21 - SSODL: aslpmqk - {ED60F0FB-CCA1-43D1-9D00-82E6D252E2C7} - C:\WINDOWS\aslpmqk.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 8187 bytes

  2. #2
    Member
    Join Date
    Jan 2008
    Posts
    5
    Points
    0

    Default

    Update:

    I analyzed the log file here: http://hijackthis.de/en

    and it said that only: "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2" was bad/nasty. Although it was unsure of some other entries.

    Any thoughts?

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Quote Originally Posted by filmage
    Update:

    I analyzed the log file here: http://hijackthis.de/en

    and it said that only: "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2" was bad/nasty. Although it was unsure of some other entries.

    Any thoughts?
    NO NO NO NO NO Do NOT take any notice of anything the hijackthis.de analyzer says ...

    Actually it's right with that entry being BAD ... but your log is also littered with various malware & Trojans ... I'll be posting instructions for you shortly

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    How do you know you have Worm.Win32.Netsky! ?

    What programs have you run which tell you this ?

    Post any logs you have from any programs you have run, the more info you give us the easier/better we can clean it out for you ...

    THEN...

    Download: SmitfraudFix.zip from :-

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

    1. Download to your desktop
    2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
    3. Double-click smitfraudfix.cmd
    4. Select 1 and hit Enter to create a report of the infected files
    5. find the C:\rapport.txt file and post the contents in your next post here...

    THEN ...

    Download Superantispyware.

    http://www.superantispyware.com/

    Once downloaded and installed update the definitions
    and then run a full system scan quarantine what it finds!

    * Double-click SUPERAntiSypware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.

    THEN ...

    Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


    Please remember to post :-

    1. C:\rapport.txt file
    2. SUPERAntiSpyware Scan Log
    3. C:\ComboFix.txt
    4. a new hijackthis log.( run after everything else)

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member
    Join Date
    Jan 2008
    Posts
    5
    Points
    0

    Default

    Hi. I thought it was a Worm.win32.netsky virus because of another post stating that 3 icons were found on the desktop (error cleaner, privacy protector, and spyware&malware protection), which are also present on mine.

    Here are the requested logs:

    *****************
    Smitfraudfix
    *****************

    SmitFraudFix v2.274

    Scan done at 16:31:44.06, Sun 01/20/2008
    Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\cmd.exe

    hosts


    C:\


    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\Documents and Settings\Steve


    C:\Documents and Settings\Steve\Application Data


    Start Menu


    C:\DOCUME~1\Steve\FAVORI~1

    C:\DOCUME~1\Steve\FAVORI~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\Steve\FAVORI~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\Steve\FAVORI~1\Spyware?Malware Protection.url FOUND !

    Desktop

    C:\DOCUME~1\Steve\Desktop\Error Cleaner.url FOUND !
    C:\DOCUME~1\Steve\Desktop\Privacy Protector.url FOUND !
    C:\DOCUME~1\Steve\Desktop\Spyware?Malware Protection.url FOUND !

    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix.exe by S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: Linksys Wireless-G PCI Adapter with SpeedBooster - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.0.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{1B127DEA-6BE7-4CB9-A19D-91C71360A415}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{1B127DEA-6BE7-4CB9-A19D-91C71360A415}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


    Scanning for wininet.dll infection


    End







    **********************
    Superantispyware
    **********************


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/21/2008 at 07:31 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 14:41:37

    Memory items scanned : 368
    Memory threats detected : 0
    Registry items scanned : 5181
    Registry threats detected : 3
    File items scanned : 74288
    File threats detected : 9

    Adware.Tracking Cookie
    C:\Documents and Settings\Steve\Cookies\steve@mediaplex[1].txt
    C:\Documents and Settings\Steve\Cookies\steve@azjmp[1].txt
    C:\Documents and Settings\Steve\Cookies\steve@doubleclick[1].txt
    C:\Documents and Settings\Steve\Cookies\steve@microsoftwga.112.2o7[1].txt
    C:\Documents and Settings\Steve\Cookies\steve@login.tracking101[2].txt
    C:\Documents and Settings\Steve\Cookies\steve@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Steve\Cookies\steve@ads.labpixies[1].txt
    C:\Documents and Settings\Steve\Cookies\steve@atdmt[2].txt
    C:\Documents and Settings\Steve\Cookies\steve@2o7[1].txt

    Trojan.Net-MSV/VPS
    HKCR\MSVPS.MSVPSApp
    HKCR\MSVPS.MSVPSApp\CLSID
    HKCR\MSVPS.MSVPSApp\CurVer



    *****************************************************
    ComboFix
    *****************************************************

    ComboFix 08-01-20.1 - Steve 2008-01-21 9:47:33.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.640 [GMT -5:00]
    Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Steve\Desktop\Error Cleaner.url
    C:\Documents and Settings\Steve\Desktop\Privacy Protector.url
    C:\Documents and Settings\Steve\Desktop\Spyware&Malware Protection.url
    C:\Documents and Settings\Steve\Favorites\Error Cleaner.url
    C:\Documents and Settings\Steve\Favorites\Privacy Protector.url
    C:\Documents and Settings\Steve\Favorites\Spyware&Malware Protection.url
    C:\Program Files\download plugin
    C:\Program Files\download plugin\DlPlugin-Moz\buddy.dat
    C:\Program Files\download plugin\DlPlugin-Moz\npdlplug.dll
    C:\Program Files\download plugin\DlPlugin-Moz\setup2.exe
    C:\Program Files\download plugin\DlPlugin-Moz\vendor.txt
    C:\WINDOWS\dat.txt
    C:\WINDOWS\dopfwrltfx.dll
    C:\WINDOWS\egodktf.dll
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

    ----- Unknown downloads made by BITS: ----
    h**p://softworldnetwork.com
    h**p://onsafepro.com
    .
    ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
    .

    2008-01-21 09:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-20 16:42 . 2008-01-20 16:42 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-20 16:39 . 2008-01-21 09:45 d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-20 16:39 . 2008-01-20 16:39 d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
    2008-01-20 16:36 . 2008-01-20 16:36 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-20 16:31 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-20 16:31 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-20 16:31 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-20 16:31 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-20 16:31 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-20 16:31 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-20 16:31 . 2008-01-20 16:31 3,316 --a------ C:\WINDOWS\system32\tmp.reg
    2008-01-20 14:24 . 2008-01-20 14:24 d-------- C:\Program Files\Trend Micro
    2008-01-19 22:27 . 2008-01-19 19:40 323,584 --a------ C:\WINDOWS\bxsnvqt.dll
    2008-01-19 22:27 . 2008-01-19 19:40 217,088 --a------ C:\WINDOWS\aslpmqk.dll
    2008-01-19 22:27 . 2008-01-19 19:40 81,920 --a------ C:\WINDOWS\fknxwqf.exe
    2008-01-05 21:32 . 2008-01-05 21:32 d-------- C:\Program Files\mIRC
    2008-01-05 21:32 . 2008-01-05 21:35 d-------- C:\Documents and Settings\Steve\Application Data\mIRC

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-21 14:52 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-01-20 06:37 --------- d-----w C:\Program Files\Diablo II
    2008-01-20 03:50 --------- d-----w C:\Documents and Settings\Steve\Application Data\curbbooklive
    2008-01-20 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\greyacehopesoap
    2007-12-09 06:31 --------- d-----w C:\Documents and Settings\Steve\Application Data\GetRightToGo
    2007-12-08 23:00 --------- d-----w C:\Program Files\TryMedia
    2007-12-08 05:58 --------- d-----w C:\Program Files\InstallShield Installation Information
    2007-12-08 05:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-12-02 21:58 --------- d-----w C:\Program Files\Hero Editor
    2007-12-02 21:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2007-12-02 21:57 249,856 ------w C:\WINDOWS\Setup1.exe
    2007-11-30 21:47 --------- d-----w C:\Program Files\Geospiza
    2007-11-04 19:04 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
    2007-10-14 21:30 22,384 -c--a-w C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "Build Obj"="C:\DOCUME~1\Steve\APPLIC~1\CURBBO~1\OptionBlah.exe" [ ]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
    "hope soap 1 else"="C:\Documents and Settings\All Users\Application Data\greyacehopesoap\Loud meal.exe" [ ]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36 124232]
    "plan axis bib barb"="C:\Documents and Settings\All Users\Application Data\ErrorGreatPlanAxis\blehmemo.exe" [ ]
    "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12 483328]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 08:43 188416]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 18:51 233472]
    "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 17:37 229437]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-05 21:06:09 25214]
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
    Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "bxsnvqt"= {D23DC16A-4620-4E77-8D65-706A046A912D} - C:\WINDOWS\bxsnvqt.dll [2008-01-19 19:40 323584]
    "aslpmqk"= {ED60F0FB-CCA1-43D1-9D00-82E6D252E2C7} - C:\WINDOWS\aslpmqk.dll [2008-01-19 19:40 217088]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    --a--c--- 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe


    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-21 14:00:00 C:\WINDOWS\Tasks\AED67F469181EF7E.job"
    - c:\docume~1\steve\applic~1\curbbo~1\dumb rdr play.exe
    "2007-09-05 13:08:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-21 09:53:05
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
    -> C:\WINDOWS\bxsnvqt.dll
    .
    Completion time: 2008-01-21 9:55:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-21 14:55:49
    .
    2008-01-09 15:05:58 --- E O F ---




    ***********************************************
    HijackThis
    ***********************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:57:08 AM, on 1/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [hope soap 1 else] C:\Documents and Settings\All Users\Application Data\greyacehopesoap\Loud meal.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [plan axis bib barb] C:\Documents and Settings\All Users\Application Data\ErrorGreatPlanAxis\blehmemo.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Build Obj] C:\DOCUME~1\Steve\APPLIC~1\CURBBO~1\OptionBlah.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175388657999
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175388643389
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: bxsnvqt - {D23DC16A-4620-4E77-8D65-706A046A912D} - C:\WINDOWS\bxsnvqt.dll
    O21 - SSODL: aslpmqk - {ED60F0FB-CCA1-43D1-9D00-82E6D252E2C7} - C:\WINDOWS\aslpmqk.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 8251 bytes

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:
    File::
    C:\WINDOWS\bxsnvqt.dll
    C:\WINDOWS\aslpmqk.dll
    C:\WINDOWS\fknxwqf.exe
    C:\WINDOWS\Tasks\AED67F469181EF7E.job
    
    Folder::
    C:\Documents and Settings\Steve\Application Data\curbbooklive
    C:\Documents and Settings\All Users\Application Data\greyacehopesoap
    C:\Documents and Settings\All Users\Application Data\ErrorGreatPlanAxis
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
    "Build Obj"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
    "hope soap 1 else"=-
    "plan axis bib barb"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 
    "bxsnvqt"=-
    "aslpmqk"=-
    Save this as "CFScript.txt"

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Jan 2008
    Posts
    5
    Points
    0

    Default

    Thanks again for the instructions, your help is greatly appreciated. Here are the log files....




    ComboFix 08-01-20.1 - Steve 2008-01-21 17:17:15.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.627 [GMT -5:00]
    Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE
    C:\WINDOWS\aslpmqk.dll
    C:\WINDOWS\bxsnvqt.dll
    C:\WINDOWS\fknxwqf.exe
    C:\WINDOWS\Tasks\AED67F469181EF7E.job
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\ErrorGreatPlanAxis
    C:\Documents and Settings\All Users\Application Data\ErrorGreatPlanAxis\junk extra for
    C:\Documents and Settings\All Users\Application Data\greyacehopesoap
    C:\Documents and Settings\All Users\Application Data\greyacehopesoap\Holepeakaxis
    C:\Documents and Settings\Steve\Application Data\curbbooklive
    C:\Documents and Settings\Steve\Application Data\curbbooklive\58BCC58C
    C:\Documents and Settings\Steve\Application Data\curbbooklive\A1CAA7DA
    C:\WINDOWS\aslpmqk.dll
    C:\WINDOWS\bxsnvqt.dll
    C:\WINDOWS\fknxwqf.exe
    C:\WINDOWS\Tasks\AED67F469181EF7E.job

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
    .

    2008-01-21 09:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-20 16:42 . 2008-01-20 16:42 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-20 16:39 . 2008-01-21 09:45 d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-20 16:39 . 2008-01-20 16:39 d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
    2008-01-20 16:36 . 2008-01-20 16:36 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-20 16:31 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-20 16:31 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-20 16:31 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-20 16:31 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-20 16:31 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-20 16:31 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-20 16:31 . 2008-01-20 16:31 3,316 --a------ C:\WINDOWS\system32\tmp.reg
    2008-01-20 14:24 . 2008-01-20 14:24 d-------- C:\Program Files\Trend Micro
    2008-01-05 21:32 . 2008-01-05 21:32 d-------- C:\Program Files\mIRC
    2008-01-05 21:32 . 2008-01-05 21:35 d-------- C:\Documents and Settings\Steve\Application Data\mIRC

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-21 22:13 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-01-20 20:56 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
    2008-01-20 06:37 --------- d-----w C:\Program Files\Diablo II
    2007-12-09 06:31 --------- d-----w C:\Documents and Settings\Steve\Application Data\GetRightToGo
    2007-12-08 23:00 --------- d-----w C:\Program Files\TryMedia
    2007-12-08 05:58 --------- d-----w C:\Program Files\InstallShield Installation Information
    2007-12-08 05:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-12-02 21:58 --------- d-----w C:\Program Files\Hero Editor
    2007-12-02 21:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2007-12-02 21:57 249,856 ------w C:\WINDOWS\Setup1.exe
    2007-11-30 21:47 --------- d-----w C:\Program Files\Geospiza
    2007-11-25 02:27 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
    2007-11-25 02:27 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
    2007-11-25 02:27 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-11-04 19:04 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-14 21:30 22,384 -c--a-w C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-21_ 9.55.30.89 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 14:47:11 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-21 22:17:06 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-21 14:47:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-21 22:17:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-21 14:47:11 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-21 22:17:07 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-21 14:47:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-21 22:17:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-21 14:47:12 4,055,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    + 2008-01-21 22:17:07 4,055,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    - 2008-01-21 14:47:12 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-21 22:17:07 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    - 2008-01-21 14:48:06 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-01-21 22:16:39 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-01-21 14:48:06 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-01-21 22:16:39 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36 124232]
    "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12 483328]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 08:43 188416]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 18:51 233472]
    "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 17:37 229437]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-05 21:06:09 25214]
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
    Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    --a--c--- 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe


    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-05 13:08:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-21 17:21:10
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-21 17:21:52
    ComboFix-quarantined-files.txt 2008-01-21 22:21:37
    ComboFix2.txt 2008-01-21 14:55:52
    .
    2008-01-09 15:05:58 --- E O F ---





    ***********************
    HijackThis
    ***********************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:22:56 PM, on 1/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175388657999
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175388643389
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7509 bytes

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6 Ojg5&lid=2


    Then your logs are clean ...

    Is your problem resolved ?

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member
    Join Date
    Jan 2008
    Posts
    5
    Points
    0

    Default

    Hi. Thank you so much. Yes, my problem is now resolved!

    I just had one more question. At first, I was planning to reformat my HD to 'fix' the problem. Would this have worked? Would reformatting reset the windows registry back to a clean status (I'm assuming this virus had some affect on the registry)?

    Thanks again,

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Yes a format & reinstall would have worked ... but most people find this too much trouble...

    In fact, no matter how much we clean your computer. we can never guarantee that it is completely clean, only a format & reinstall can do that.

    we can only take out what we can see, & if you use every scanner there is, it will not show everything, files & registry entries will be missed, we can just make sure nothing is active & running. All computers will have a build up of orphan files & registry entries in time...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -