Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected Again!


  • Please log in to reply
5 replies to this topic

#1 txpaige

txpaige

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 11 December 2007 - 12:30 PM

Tons of popups and my internet explorer locks up. Here's my log:

Thanks!!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:23 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ehmcjxca.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [8c2b93a7] rundll32.exe "C:\WINNT\system32\xbbxgsls.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DomainService - - C:\WINNT\system32\ehmcjxca.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 2166 bytes

BC AdBot (Login to Remove)

 


m

#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:58 PM

Posted 12 December 2007 - 08:00 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 txpaige

txpaige
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 12 December 2007 - 09:12 AM

Thank you for your help!

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:58 PM

Posted 14 December 2007 - 06:07 PM

Hello, Sorry for the delay!

Your log doesn't show an antivirus software running. :thumbsup:
This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it or you need to install an antivirus program as soon as you can and run a complete scan of the computer.
Please download and install one of these good (and free) products:

Avira Antivir
Avast
AVG


Install just one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note: I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.


Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present":

O23 - Service: DomainService - - C:\WINNT\system32\ehmcjxca.exe

Click on Posted Image button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Run HijackThis.
Click on Open the Misc Tools Section.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No:
C:\WINNT\system32\ehmcjxca.exe

More information with a screenshot, can be found here.


Run again your HijackThis.
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in: DomainService
  • Click "ok", then reboot
Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 txpaige

txpaige
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 19 December 2007 - 05:12 PM

My computer is MUCH better, but I wanted to post this in case I'm missing something. Here's the combofix log.

ComboFix 07-12-19.2 - Paige Sanders 2007-12-19 15:58:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.272 [GMT -6:00]
Running from: C:\Documents and Settings\Paige Sanders\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\msettings.ini
C:\WINNT\system32\sdpyhrcu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_OHCIUSB
-------\DomainService
-------\ohciusb


((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-19 13:58 . <DIR> C:\WINNT\LastGood.Tmp
2007-12-18 10:29 . 2007-12-18 10:44 <DIR> d-------- C:\VundoFix Backups
2007-12-16 08:43 . 2007-12-16 08:43 <DIR> d-------- C:\Program Files\Avira
2007-12-16 08:43 . 2007-12-16 08:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-16 08:37 . 2007-12-18 09:02 1,134 --ahs---- C:\WINNT\system32\rtsnpjsx.ini
2007-12-13 18:50 . 2007-12-13 19:39 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-12-13 12:28 . 2007-12-16 08:36 1,014 --ahs---- C:\WINNT\system32\wfrwdwax.ini
2007-12-12 12:30 . 2007-12-13 11:40 714 --ahs---- C:\WINNT\system32\pnnjcocn.ini
2007-12-11 08:59 . 2007-12-12 12:21 534 --ahs---- C:\WINNT\system32\slsgxbbx.ini
2007-12-04 08:45 . 2007-12-04 11:58 354 --ahs---- C:\WINNT\system32\vcxphqnd.ini
2007-12-04 08:42 . 2007-12-18 09:02 726,345 --ahs---- C:\WINNT\system32\jjllm.bak2
2007-12-03 10:16 . 2007-12-18 10:39 725,383 ---hs---- C:\WINNT\system32\jjllm.ini
2007-12-03 10:16 . 2007-12-03 10:16 6,495 --ahs---- C:\WINNT\system32\jjllm.bak1
2007-11-29 10:46 . 2007-11-29 10:46 <DIR> d-------- C:\WINNT\.jagex_cache_32
2007-11-27 13:46 . 2007-11-27 13:46 <DIR> d-------- C:\Program Files\Virtools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 19:51 --------- d-----w C:\Documents and Settings\Paige Sanders\Application Data\Image Zone Express
2007-12-16 14:53 --------- d-----w C:\Program Files\ZipForm Desktop
2007-12-11 15:53 --------- d-----w C:\Documents and Settings\Paige Sanders\Application Data\Neopets Toolbar
2007-10-25 16:26 53,248 ----a-w C:\WINNT\bdoscandel.exe
2006-12-21 08:26 271 --sh--w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5339beb-d8df-4ec1-b74e-ec40553cd192}]
C:\WINNT\system32\cotgadop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-18 09:13]
"8c2b93a7"="C:\WINNT\system32\hehvojea.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2006-12-21 18:11:06]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Paige Sanders^Start Menu^Programs^Startup^.lnk]
path=C:\Documents and Settings\Paige Sanders\Start Menu\Programs\Startup\.lnk
backup=C:\WINNT\pss\.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:56 15360 --a------ C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 01:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2004-04-13 16:36 1470464 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 15:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINNT\system32\drivers\DVDVRRdr_xp.sys [2004-04-13 16:32]
R1 UDFReadr;UDFReadr;C:\WINNT\system32\drivers\UDFReadr.sys [2004-04-13 16:29]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 06:00:00 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 15:00:00 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-19 16:00:00 C:\WINNT\Tasks\At11.job"
"2007-12-19 17:00:00 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-19 18:00:00 C:\WINNT\Tasks\At13.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-19 19:00:00 C:\WINNT\Tasks\At14.job"
"2007-12-19 20:00:00 C:\WINNT\Tasks\At15.job"

s
!. 
\- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-19 21:00:00 C:\WINNT\Tasks\At16.job"
"2007-12-19 22:00:00 C:\WINNT\Tasks\At17.job"
"2007-12-13 23:00:00 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 00:00:00 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 07:00:00 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 01:00:00 C:\WINNT\Tasks\At20.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 02:00:00 C:\WINNT\Tasks\At21.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 03:00:00 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 04:00:00 C:\WINNT\Tasks\At23.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 05:00:00 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 08:00:00 C:\WINNT\Tasks\At3.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 09:00:00 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 10:00:00 C:\WINNT\Tasks\At5.job"
"2007-12-14 11:00:00 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 12:00:00 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\1Dx7B3B1.exe
"2007-12-14 13:00:00 C:\WINNT\Tasks\At8.job"
"2007-12-14 14:00:00 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\1Dx7B3B1.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 16:02:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 16:03:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 14:55
C:\ComboFix2.txt ... 2007-07-16 14:55


And a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:44 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {291dc355-04ce-e47b-1ce4-fd8dbeb9335c} - {c5339beb-d8df-4ec1-b74e-ec40553cd192} - C:\WINNT\system32\cotgadop.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [8c2b93a7] rundll32.exe "C:\WINNT\system32\hehvojea.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3956 bytes

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:58 PM

Posted 24 December 2007 - 08:47 AM

Hello,


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\rtsnpjsx.ini
C:\WINNT\system32\wfrwdwax.ini
C:\WINNT\system32\pnnjcocn.ini
C:\WINNT\system32\slsgxbbx.ini
C:\WINNT\system32\vcxphqnd.ini
C:\WINNT\system32\jjllm.bak2
C:\WINNT\system32\jjllm.ini
C:\WINNT\system32\jjllm.bak1
C:\WINNT\system32\cotgadop.dll
C:\WINNT\system32\hehvojea.dll
C:\WINNT\Tasks\At1.job
C:\WINNT\system32\1Dx7B3B1.exe
C:\WINNT\Tasks\At10.job
C:\WINNT\Tasks\At11.job
C:\WINNT\Tasks\At12.job
C:\WINNT\Tasks\At13.job
C:\WINNT\Tasks\At14.job
C:\WINNT\Tasks\At15.job
C:\WINNT\Tasks\At16.job
C:\WINNT\Tasks\At17.job
C:\WINNT\Tasks\At18.job
C:\WINNT\Tasks\At19.job
C:\WINNT\Tasks\At2.job
C:\WINNT\Tasks\At20.job
C:\WINNT\Tasks\At21.job
C:\WINNT\Tasks\At22.job
C:\WINNT\Tasks\At23.job
C:\WINNT\Tasks\At24.job
C:\WINNT\Tasks\At3.job
C:\WINNT\Tasks\At4.job
C:\WINNT\Tasks\At5.job
C:\WINNT\Tasks\At6.job
C:\WINNT\Tasks\At7.job
C:\WINNT\Tasks\At8.job
C:\WINNT\Tasks\At9.job

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5339beb-d8df-4ec1-b74e-ec40553cd192}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8c2b93a7"=-

  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Merry Christmas!
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users