Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Protector 2008...


  • Please log in to reply
1 reply to this topic

#1 EvilCowStool

EvilCowStool

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 11 June 2008 - 07:55 PM

I woke up this morning to see bugs eating my desktop. I was furious to say the least. With a whole lot of searching and trying random things, I have yet to rid of the Malware Protector 2008. I followed all your guides and have come with this:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-11 17:48:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:15, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\system32\lphclunj0ea1a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.remotemgr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [lphclunj0ea1a] C:\WINDOWS\system32\lphclunj0ea1a.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Xerng] C:\WINDOWS\system32\?ssembly\?hkntfs.exe
O4 - HKCU\..\Run: [Kzhvig] C:\WINDOWS\system32\??pPatch\t?skmgr.exe
O4 - HKCU\..\Run: [Lorlc] C:\WINDOWS\system32\?ssembly\w?nspool.exe
O4 - HKCU\..\Run: [Yewmwa] "C:\Documents and Settings\Owner\Application Data\?ssembly\w?auboot.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.remotemgr.com
O15 - Trusted Zone: http://www.remotemgr.com
O15 - Trusted Zone: http://*.remotemgr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78828311-ECC9-4C4C-854D-2959720E4F27}: NameServer = 4.2.2.1,4.2.2.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4669 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - NOTEPAD.EXE %1
.ini - inifile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.reg - regfile - shell\edit\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02\3&172E68DD&0&FD
Service:


-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2100-01-06 12:52:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2100-01-01 09:01:41 246 --a------ C:\Program Files\Common Files\qufan815
2100-01-01 08:28:58 0 d-------- C:\WINDOWS\pss
2099-12-30 23:02:56 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-11 16:10:50 0 d-------- C:\Program Files\Trend Micro
2008-06-11 15:46:35 0 d-------- C:\cmdcons
2008-06-11 15:46:01 68096 --a------ C:\WINDOWS\zip.exe
2008-06-11 15:46:01 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-11 15:46:01 98816 --a------ C:\WINDOWS\sed.exe
2008-06-11 15:46:01 80412 --a------ C:\WINDOWS\grep.exe
2008-06-11 15:46:01 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-11 15:46:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-11 15:46:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-11 15:46:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-11 15:20:10 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 15:20:08 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 15:20:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 14:50:25 930 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-11 14:46:38 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-11 14:46:38 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-11 14:46:38 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-11 14:46:38 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-11 14:46:38 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-11 14:46:38 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-11 14:46:38 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-11 14:46:38 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-11 14:46:38 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-11 14:46:38 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-11 14:46:38 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-11 14:46:38 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-11 14:46:38 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-11 14:46:38 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-11 11:58:53 0 d-------- C:\Program Files\GetPack
2008-06-11 08:36:57 0 d-------- C:\Program Files\Alwil Software
2008-06-11 08:09:18 0 d-------- C:\Documents and Settings\Owner\Application Data\shcjunj0ea1a
2008-06-11 08:07:03 92160 --a------ C:\WINDOWS\system32\lphclunj0ea1a.exe
2008-06-11 07:53:37 0 d-------- C:\Program Files\iCheck
2008-06-11 07:53:37 0 d-------- C:\Program Files\GetModule


-- Find3M Report ---------------------------------------------------------------

2100-01-06 13:13:07 0 d-------- C:\Program Files\Common Files
2100-01-01 08:18:00 246 --a------ C:\Program Files\Common Files\qufan206
2099-12-30 23:17:42 826 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2008-06-11 13:36:25 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArtChk"="C:\WINDOWS\system32\artchker.exe" []
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 05:04]
"lphclunj0ea1a"="C:\WINDOWS\system32\lphclunj0ea1a.exe" [06/11/2008 08:07]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [06/10/2008 19:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xerng"="C:\WINDOWS\system32\?ssembly\?hkntfs.exe" []
"Kzhvig"="C:\WINDOWS\system32\??pPatch\t?skmgr.exe" []
"Lorlc"="C:\WINDOWS\system32\?ssembly\w?nspool.exe" []
"Yewmwa"="C:\Documents and Settings\Owner\Application Data\?ssembly\w?auboot.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 06:56]
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [06/09/2008 14:40]
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [06/10/2008 02:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,





-- End of Deckard's System Scanner: finished at 2008-06-11 17:49:49 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 509.98 MiB / 276 MiB
Pagefile Memory (total/avail): 1248.88 MiB / 1013.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.93 MiB

C: is Fixed (NTFS) - 145.97 GiB total, 136.05 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6L160P0 - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 145.97 GiB - C:
\PARTITION2 - Unknown - 3 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1201 [VPS 080611-1] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ECT-CL91D91
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\ECT-CL91D91
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=ECT-CL91D91
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Internet Speed Monitor --> C:\Program Files\iCheck\Uninstall.exe
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Lexmark 4200 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type5610 / Error
Event Submitted/Written: 06/03/2008 07:25:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application svchost.exe, version 5.1.2600.2180, faulting module rastapi.dll, version 5.1.2600.2180, fault address 0x0000bba5.
Processing media-specific event for [svchost.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12795 / Error
Event Submitted/Written: 06/11/2008 02:55:15 PM
Event ID/Source: 54 / Print
Event Description:
Document ccmachooo.rtf was corrupted and has been deleted. The associated driver is: Generic / Text Only.

Event Record #/Type12791 / Error
Event Submitted/Written: 06/11/2008 02:54:28 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type12790 / Error
Event Submitted/Written: 06/11/2008 02:54:24 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type12789 / Error
Event Submitted/Written: 06/11/2008 02:53:46 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type12788 / Error
Event Submitted/Written: 06/11/2008 02:49:53 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswSP
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-06-11 17:49:49 ------------

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 June 2008 - 06:11 AM

Hi and Welcome to the forums.

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O4 - HKLM\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe

O4 - HKLM\..\Run: [lphclunj0ea1a] C:\WINDOWS\system32\lphclunj0ea1a.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [Xerng] C:\WINDOWS\system32\?ssembly\?hkntfs.exe

O4 - HKCU\..\Run: [Kzhvig] C:\WINDOWS\system32\??pPatch\t?skmgr.exe

O4 - HKCU\..\Run: [Lorlc] C:\WINDOWS\system32\?ssembly\w?nspool.exe

O4 - HKCU\..\Run: [Yewmwa] "C:\Documents and Settings\Owner\Application Data\?ssembly\w?auboot.exe"

O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"

O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Next,update MBAM and run a quickscan,remove all it finds and reboot if needed.

Once thats complete,Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users