Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Logfile - I Do Not Know What It Is...


  • Please log in to reply
7 replies to this topic

#1 Ragnarok

Ragnarok

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 25 June 2007 - 10:03 AM

Greetings,

I have another computer that is acting up. If browsing the web we get random popups all the time. Along with that the computer just does not feel right, if that makes any sense. The HJT log file is posted below. Any help would be appreciated!

Thanks,




Logfile of HijackThis v1.99.1
Scan saved at 12:00:55 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\xfafgwiq.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Conisio Login Manager] "C:\PROGRA~1\GCS\Conisio\EDMSER~1.EXE" /runatlogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\sonhdpmx.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Slst] "C:\WINDOWS\WNSXS~1\msdtc.exe" -vt yazb
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CED4D2B9-0FA5-4DF7-9F5E-5751282855F8} (Installer Class) - http://www.eislogan.com/conisioweb/ConisioInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.local
O17 - HKLM\Software\..\Telephony: DomainName = eislogan.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hxtwkrbh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:25 AM

Posted 29 June 2007 - 10:01 PM

Your log is missing some entries that are normally present, and that may be a sign of malware which intentionally hides from HijackThis.

To get these entries to show, please open the folder where you saved HijackThis
Right-click HijackThis.exe, and select: Rename
Rename Hijackthis.exe to HJT.exe or whatever you like

Then run HijackThis once again, and post a new log.

Old duck...


#3 Ragnarok

Ragnarok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 02 July 2007 - 04:12 PM

I did as you asked. I renamed HijackThis to jack.exe and ran the scan again. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:32 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\jack.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {363B16DA-8569-ACEF-1A15-8B8DBE25859B} - C:\WINDOWS\system32\odlu.dll
O2 - BHO: H - {3C6FE25B-66E7-43ce-9EF0-4B25F4F44C64} - C:\WINDOWS\system32\c5q1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\gutkdmpr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\xxywtrr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B56472B9-2FA9-4CC5-9992-0506951F94F1} - C:\WINDOWS\system32\efeff.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Conisio Login Manager] "C:\PROGRA~1\GCS\Conisio\EDMSER~1.EXE" /runatlogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\odxqjjke.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Slst] "C:\WINDOWS\WNSXS~1\msdtc.exe" -vt yazb
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CED4D2B9-0FA5-4DF7-9F5E-5751282855F8} (Installer Class) - http://www.eislogan.com/conisioweb/ConisioInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.local
O17 - HKLM\Software\..\Telephony: DomainName = eislogan.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.local
O20 - Winlogon Notify: efeff - C:\WINDOWS\system32\efeff.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winkoh32 - winkoh32.dll (file missing)
O20 - Winlogon Notify: xxywtrr - C:\WINDOWS\SYSTEM32\xxywtrr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hxtwkrbh.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:25 AM

Posted 02 July 2007 - 10:51 PM

It does not appear that you are running an AntiVirus program!!
Please take action now to install one.

Free AntiVirus programs:
Grisoftís AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

Active Virus Shield (Powered by Kaspersky):
http://www.activevirusshield.com/antivirus/freeav/index.adp
(Uncheck "Install Security Toolbar" during the installation process)

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

AntiVir Personal Edition: http://www.free-av.com/

~~~~
Next, please go to Start > Run, and type in the following commands one at a time and hit Enter after each line:
sc stop DomainService
sc delete DomainService


~~~~
Run HijackThis, Scan
Check box for:

O2 - BHO: (no name) - {363B16DA-8569-ACEF-1A15-8B8DBE25859B} - C:\WINDOWS\system32\odlu.dll
O2 - BHO: H - {3C6FE25B-66E7-43ce-9EF0-4B25F4F44C64} - C:\WINDOWS\system32\c5q1.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\gutkdmpr.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\xxywtrr.dll
O2 - BHO: (no name) - {B56472B9-2FA9-4CC5-9992-0506951F94F1} - C:\WINDOWS\system32\efeff.dll

O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\odxqjjke.dll",realset
O4 - HKCU\..\Run: [Slst] "C:\WINDOWS\WNSXS~1\msdtc.exe" -vt yazb

O20 - Winlogon Notify: efeff - C:\WINDOWS\system32\efeff.dll
O20 - Winlogon Notify: winkoh32 - winkoh32.dll (file missing)
O20 - Winlogon Notify: xxywtrr - C:\WINDOWS\SYSTEM32\xxywtrr.dll

Select: Fix checked

~~~~
Next, download the following to the Desktop:
VundoFix.exe
* Double-click VundoFix.exe to run it
* Click: Scan for Vundo
* Once done scanning, click: Remove Vundo
* A prompt asking if you want to remove the files appears, click: Yes
* The Desktop goes blank as it starts removing Vundo.
* When completed, a prompt to shutdown the computer appears, click OK
* Turn the computer back on.

A log is created and found in C:\vundofix.txt

~~~~
Also download ComboFix to the Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Please post the C:\vundofix.txt, the ComboFix report, and a new HijackThis log.

Make sure you have an AntiVirus program installed and running when you post back!!

Old duck...


#5 Ragnarok

Ragnarok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 03 July 2007 - 11:27 AM

Thanks for your post. I have followed your instructions and here are the latest logs...

COMBOFIX:
ComboFix 07-06-18.2 - C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
"Administrator" - 2007-07-03 13:14:14 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ffefe.ini
C:\WINDOWS\system32\ffefe.tmp
C:\WINDOWS\system32\efeff.dll
C:\WINDOWS\system32\xxywtrr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\Desktop\internet.lnk
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\s?rvices.exe
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\notepad.exe
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\comi.dll
C:\WINDOWS\system32\mit.bat
C:\WINDOWS\system32\wnstsit32.exe
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wnsxs~1\msdtc.exe~


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-03 13:13 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 12:28 612 --a------ C:\vpwaf.dat
2007-07-03 11:37 <DIR> d-------- C:\VundoFix Backups
2007-07-03 11:05 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-03 11:05 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-03 11:03 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-07-03 11:03 <DIR> d-------- C:\Program Files\Symantec
2007-07-03 11:03 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-03 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-06-25 10:37 265 --a------ C:\qkchukoe3.exe
2007-06-25 10:37 265 --a------ C:\qkchukoe2.exe
2007-06-22 16:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-22 16:22 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-22 16:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-22 16:12 75,522 --a------ C:\qkchukoe1.exe
2007-06-22 12:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-22 12:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-22 12:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-22 12:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-22 11:11 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-21 14:13 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-21 07:52 60,928 --a------ C:\WINDOWS\system32\odlu.dll
2007-06-06 18:30 1 --a------ C:\WINDOWS\system32\ps.dat
2007-06-06 17:59 <DIR> d-------- C:\Program Files\AutoCAD 2006
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 22:18:21 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-22 22:04:10 -------- d-----w C:\Program Files\QuickTime
2007-06-22 21:55:13 -------- d-----w C:\Program Files\Messenger
2007-06-22 21:52:35 -------- d-----w C:\Program Files\iTunes
2007-06-22 21:52:06 -------- d-----w C:\Program Files\Google
2007-06-22 21:42:08 -------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-06-06 22:03:54 -------- d-----w C:\Program Files\AnswerWorks 4.0
2007-06-06 21:59:09 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Autodesk
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 18:21:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-15 18:21:20 -------- d-----w C:\Program Files\Sony Corporation
2007-05-15 18:16:26 137,903 ----a-w C:\WINDOWS\system32\nvModes.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{2F85D76C-0569-466F-A488-493E6BD0E955}=C:\Program Files\Windows Desktop Search\dsWebAllow.dll [2006-03-26 23:44]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 02:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2003-02-10 10:27 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Conisio Login Manager"="C:\PROGRA~1\GCS\Conisio\EDMSER~1.exe" [2004-10-13 18:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-17 14:49]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-18 19:15]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 14:11]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


Contents of the 'Scheduled Tasks' folder
2007-07-03 17:22:29 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-21 18:13:26 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 13:22:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-03 13:24:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 13:24

--- E O F ---




VUNDOFIX

VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:37:29 AM 7/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\cpurfjex.dll
C:\WINDOWS\system32\efeff.dll
C:\WINDOWS\system32\ffefe.bak1
C:\WINDOWS\system32\ffefe.bak2
C:\WINDOWS\system32\ffefe.ini
C:\WINDOWS\system32\ffefe.ini2
C:\WINDOWS\system32\ffefe.tmp
C:\windows\system32\jkkijhg.dll
C:\WINDOWS\system32\waihmssw.dll
C:\WINDOWS\system32\xxywtrr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efeff.dll
C:\WINDOWS\system32\efeff.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ffefe.bak1
C:\WINDOWS\system32\ffefe.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffefe.bak2
C:\WINDOWS\system32\ffefe.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffefe.ini
C:\WINDOWS\system32\ffefe.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffefe.ini2
C:\WINDOWS\system32\ffefe.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffefe.tmp
C:\WINDOWS\system32\ffefe.tmp Has been deleted!

Attempting to delete C:\windows\system32\jkkijhg.dll
C:\windows\system32\jkkijhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywtrr.dll
C:\WINDOWS\system32\xxywtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efeff.dll
C:\WINDOWS\system32\efeff.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ffefe.ini
C:\WINDOWS\system32\ffefe.ini Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ffefe.ini2
C:\WINDOWS\system32\ffefe.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywtrr.dll
C:\WINDOWS\system32\xxywtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:36:31 PM 7/3/2007

Listing files found while scanning....


VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 1:02:19 PM 7/3/2007

Listing files found while scanning....

C:\windows\system32\efeff.dll
C:\windows\system32\ffefe.ini
C:\windows\system32\ffefe.ini2
C:\windows\system32\ffefe.tmp
C:\WINDOWS\system32\xxywtrr.dll

Beginning removal...

Attempting to delete C:\windows\system32\efeff.dll
C:\windows\system32\efeff.dll Could not be deleted.

Attempting to delete C:\windows\system32\ffefe.ini
C:\windows\system32\ffefe.ini Has been deleted!

Attempting to delete C:\windows\system32\ffefe.ini2
C:\windows\system32\ffefe.ini2 Has been deleted!

Attempting to delete C:\windows\system32\ffefe.tmp
C:\windows\system32\ffefe.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywtrr.dll
C:\WINDOWS\system32\xxywtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\efeff.dll
C:\windows\system32\efeff.dll Could not be deleted.

Attempting to delete C:\windows\system32\ffefe.ini
C:\windows\system32\ffefe.ini Has been deleted!

Attempting to delete C:\windows\system32\ffefe.ini2
C:\windows\system32\ffefe.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywtrr.dll
C:\WINDOWS\system32\xxywtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...



NOTE: It said it could not delete a couple of files. It said to reboot and it would attempt to delete them again. It took a couple of reboots but they appear to have been deleted ok now.



HJT
Logfile of HijackThis v1.99.1
Scan saved at 1:28:27 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\jack.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Conisio Login Manager] "C:\PROGRA~1\GCS\Conisio\EDMSER~1.EXE" /runatlogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CED4D2B9-0FA5-4DF7-9F5E-5751282855F8} (Installer Class) - http://www.eislogan.com/conisioweb/ConisioInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.local
O17 - HKLM\Software\..\Telephony: DomainName = eislogan.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe




Thanks for all of your help so far! Your services are greatly appreciated.

-Ragnarok

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:25 AM

Posted 03 July 2007 - 11:46 AM

:thumbsup:

The HijackThis log looks OK. No apparent malware issues.

Would like to look at the other logs a little later, and will let you know if we need to take any further actions.


Are you still having malware problems, getting pop-ups, etc.?

Old duck...


#7 Ragnarok

Ragnarok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 03 July 2007 - 11:50 AM

The popups seem to have stopped from what I have noticed. I have been browsing the web ever since I finished and nothing has popped up.

Hopefully it is taken care of now!

Thanks again.

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:25 AM

Posted 03 July 2007 - 06:35 PM

Not out of the woods, yet. ComboFix is showing some undesirable files that we need to get rid of.

~~~~
Please download The Avenger by Swandog46 to the Desktop.
Click on Avenger.zip to open the file
Then, extract avenger.exe to the Desktop

Start The Avenger program by clicking on its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script

Copy/paste the following text (blue) into the box:

Files to delete:
C:\qkchukoe3.exe
C:\qkchukoe2.exe
C:\qkchukoe1.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\odlu.dll


Click Done

Now click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

The Avenger will automatically do the following:
Restart the computer.
On reboot, it will briefly open a black command window on the Desktop, and this is normal.

After the restart, it creates a log file that opens with the results of Avengerís actions.
This log file will be located at C:\avenger.txt

~~~~
Run ComboFix once again, and then HijackThis, to obtain new logs from both of these programs.

~~~~
Please provide the following in your reply:
The C:\avenger.txt
A new ComboFix report
A new HijackThis log

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users