Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please - Annoying Malaware That Just Wont Go Away


  • Please log in to reply
3 replies to this topic

#1 nitin77

nitin77

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 19 October 2007 - 09:57 PM

hello,

new here, please move if I have posted this in the wrong forum. Sorry for any inconvenience.


I have managed to get infected by some rather annoying malware, dont know if its just one or two working together because different programs pick up different files. Norton AntiVirus picks up the file c:\windows\system32\alrsvca.dll as being infected with win32.trojan.agent. Adaware Personal picks up the file c:\windows\system32\d3dime.dll as being infected. Vundofix also picks up this same d3dime.dll file.

I have tried everything I know of, including vundofix, unlocker, hijackthis' remove file on startup option but i just cannot getr id of those two files. A few others are generated by these two files (such as c:\windows\system32\libssl32.dll and c:\windows\system32\libeay32.dll which I can delete with Unlocker but get regenrated at startup again.

Any help with this issue would be much appreciated. Right now its not really damaging, just annoying becuse it slows up the computer quite a bit, especially when IE is being used. Also, one more thing, Adaware only seems to pick up d3dime.dll if it is running whilst an IE window has been opened or after one has been opened. It never picks it up if no IE window has been opened in a session.

My Hijackthis log :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:44 PM, on 20/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX6000.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://login.live.com/login.srf?id=2&s...81&_lang=EN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36785DA0-32BA-47D8-8704-82BFDEE17637} - c:\windows\system32\d3dime.dll
O2 - BHO: (no name) - {43388A56-ED94-45F5-8FFF-C1214C2D0C39} - C:\WINDOWS\System32\alrsvca.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

http://download.zonelabs.com/bin/promotion...canner37790.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) -

http://livecbn.support.googlepages.com/livetv.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by116fd.bay116.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qimjdscr - C:\WINDOWS\SYSTEM32\d3dime.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol

Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


cheers

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 20 October 2007 - 05:05 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nitin77 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.


It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Please move HijackThis to its own permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help with the above,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 nitin77

nitin77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 20 October 2007 - 09:04 PM

hi Richie,

thanks for the reply and welcome. You were a big help:)

In reply to your post :

- I do have Nortons AntiVirus installed, its just no in Realtime Protection mode (ie not always running). I just prefer to run regular checks rather than have it on all the time as its a system hog.

- New java tip noted, will download as soon as the my new internet billing month starts the day after tomorrow, dont want to get capped this month :thumbsup:

- followed your tips regarding Hijackthis into its own directory and Combofix. I am happy to report that Combofix seems to have done the trick. It deleted the infected files and cleared out the relevant registry entries too. I've since run Spybot, Adaware, Nortons and Vundofix (scan) and what they all come up clean. The HijackThis log also appears clean now.

I post the Combofix and HijackThis log though, just in case something's still around that I havent picked up (un-wordwrappedl ike you asked). It all seems fine though.

One last thing, for future reference, when should Combofix be used? Is it a last resort measure that should only be used if Nortons, Spybot, Adaware, HijackThis cant eliminate the problem or is it something that can be used at any time?


Combofix Log :

ComboFix 07-10-21.1 - Nitin 2007-10-21 10:52:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1324 [GMT 10:00]
Running from: C:\Documents and Settings\Nitin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nitin\Application Data\macromedia\Flash Player\#SharedObjects\LQVNT9DK\www.inter-focus.cn
C:\Documents and Settings\Nitin\Application Data\macromedia\Flash Player\#SharedObjects\LQVNT9DK\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Nitin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Nitin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\Nitin\Desktop\internet.lnk
C:\WINDOWS\system32\alrsvca.dll
C:\WINDOWS\system32\d3dime.dll
C:\WINDOWS\system32\d3dime.dll.bak
C:\WINDOWS\system32\drivers\bkzjzmaf.dat
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\drivers\uhjosmnw.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_GB
-------\LEGACY_GUCDQZSV
-------\LEGACY_ODKYQURR
-------\LEGACY_SFSYNC02
-------\gucdqzsv
-------\odkyqurr
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 09:35 <DIR> d-------- C:\HijackThis
2007-10-16 08:26 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-10-16 08:26 741,632 --a------ C:\WINDOWS\system32\nvvdmbqb.dat
2007-10-16 08:26 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-10-16 08:26 118,528 --a------ C:\WINDOWS\system32\kkgrwipf.dat
2007-10-16 08:26 41,728 --a------ C:\WINDOWS\system32\guhnbmdk.dat
2007-10-16 08:26 35,584 --a------ C:\WINDOWS\system32\aklzccoy.dat
2007-10-16 08:26 34,560 --a------ C:\WINDOWS\system32\dlcctsiv.dat
2007-10-15 14:45 <DIR> d-------- C:\Documents and Settings\Nitin\Application Data\Yahoo!
2007-10-14 15:22 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-10-14 15:21 15,872 --a------ C:\WINDOWS\system32\6n7ld77zgtre.exe
2007-10-06 11:01 <DIR> d-------- C:\Documents and Settings\Nitin\Application Data\U3
2007-10-04 10:25 <DIR> d-------- C:\Program Files\Veoh Networks
2007-09-27 19:31 <DIR> d-------- C:\Documents and Settings\Nitin\Application Data\RipIt4Me
2007-09-23 13:24 <DIR> d-------- C:\Documents and Settings\Nitin\Application Data\nHancer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-10 22:29 --------- d-----w C:\Program Files\BitTorrent
2007-10-07 03:01 --------- d-----w C:\Documents and Settings\Nitin\Application Data\BitTorrent
2007-10-04 00:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-23 11:30 --------- d-----w C:\Documents and Settings\Nitin\Application Data\Skype
2007-09-07 23:48 96,704 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-03-18 01:03 1 ----a-w C:\Documents and Settings\Nitin\SI.bin
2006-05-12 06:38 0 ----a-w C:\Program Files\gditst
2006-12-16 04:06:33 354,462 --sh--w C:\WINDOWS\system32\fgjlm.bak1
2007-06-17 02:25:16 890,660 --sh--w C:\WINDOWS\system32\kjkmp.bak1
.


HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:55 AM, on 21/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vVX6000.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NavNT\vpc32.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&s...81&_lang=EN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37790.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://livecbn.support.googlepages.com/livetv.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by116fd.bay116.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4060 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 21 October 2007 - 03:35 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\nvvdmbqb.dat
C:\WINDOWS\system32\kkgrwipf.dat
C:\WINDOWS\system32\guhnbmdk.dat
C:\WINDOWS\system32\aklzccoy.dat
C:\WINDOWS\system32\dlcctsiv.dat
C:\WINDOWS\system32\6n7ld77zgtre.exe
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\kjkmp.bak1
Folder::
C:\Documents and Settings\Nitin\Application Data\nHancer

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the entire contents of Combofix.txt in your next reply.

You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows.
This can be bad if they’re malware, so please re-enable those startup entries by doing the following:
Click on Start>Run,type msconfig and then press Enter.
When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked.
Then press Apply/Ok to exit the utility.
If it asks you to restart your pc,please don’t,it‘s not necessary at this point.

Also post a new HijackThis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users