Jump to content

I am under attack as we speak!


Recommended Posts

I clean it and it always comes back.

here is my highjack this file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:59:52 PM, on 1/28/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Kyocera\FileUtility\SFUSVC.exe

C:\Program Files\Kyocera\FileUtility\nsCatCom.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\TEMP\BK6CC6.EXE

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Kyocera\FileUtility\NsCatCom.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

c:\iE5K.exe

C:\WINDOWS\System32\mshta.exe

c:\iE5K.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

c:\iE5K.exe

C:\Program Files\Windows Media Player\setup_wm.exe

c:\iE5K.exe

c:\iE5K.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\mshta.exe

c:\iE5K.exe

c:\iE5K.exe

c:\iE5K.exe

c:\ZZA.exe

c:\ZZA.exe

c:\ZZA.exe

c:\iE5K.exe

c:\ZZA.exe

c:\ZZA.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080315

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {1B72D069-A568-46FE-94B7-018FA408E741} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6EA8A3BB-97F8-49E1-8771-13FD7ED48990} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnHost] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\ZZA.exe (User 'Default user')

O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe

O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe

O4 - Global Startup: Price Feedback Agent.lnk = ?

O4 - Global Startup: Scanner File Utility.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL zgyqgb.dll C:\WINDOWS\system32\nigokeyo.dll cskevt.dll c:\windows\system32\yireniye.dll ghhhhc.dll c:\windows\system32\telezeva.dll bpanvw.dll c:\windows\system32\jusirodo.dll

O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera\FileUtility\SFUSVC.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/davidm/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--

End of file - 14749 bytes

Here is my MBAM Log:

Malwarebytes' Anti-Malware 1.33

Database version: 1698

Windows 5.1.2600 Service Pack 2

1/28/2009 7:26:36 PM

mbam-log-2009-01-28 (19-26-36).txt

Scan type: Quick Scan

Objects scanned: 92147

Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

START

The following instructions are only for this Forum member.

Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please DO NOT use the Attachment feature for any log files. Do a Copy/Paste of the entire contents of the log file and submit it inside your reply post.

STEP 01

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it.
  • A black box will briefly appear and then close, it only takes a second and it's done. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.

STEP 02

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup215.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 03

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 04

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.



  • Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 05

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System]

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 06

Run HijackThis again, System scan only, and save the log file.

STEP 07

Please post back to the Forum:

  • Your last MBAM log results
  • The contents of C:\Combofix.txt
  • Your new HijackThis log
Link to post
Share on other sites

Something is missing from step 4. There was no item shown to check (see below)

STEP 04

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

*

*

Then Quit All Browsers including the one you're reading this in now.

Then click on Fix checked and then quit HJT

Link to post
Share on other sites

  • Root Admin

Sorry about that. Please use the following entries for that.

Disable your TEA TIMER too.

O2 - BHO: (no name) - {1B72D069-A568-46FE-94B7-018FA408E741} - (no file)

O2 - BHO: (no name) - {6EA8A3BB-97F8-49E1-8771-13FD7ED48990} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnHost] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\ZZA.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\ZZA.exe (User 'Default user')

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL zgyqgb.dll C:\WINDOWS\system32\nigokeyo.dll cskevt.dll c:\windows\system32\yireniye.dll ghhhhc.dll c:\windows\system32\telezeva.dll bpanvw.dll c:\windows\system32\jusirodo.dll

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.