If geeks love it, we’re on it

Howdy, Stranger!

You found the friendliest gaming & tech geeks around. Say hello!

Icrontic Expo 2014: The gaming & general geekery event you don't want to miss. Read about what's new this year and then buy tickets here.

HijackThis log for review please

RichDRichD Essex, UK
Hi There

I have just started working in a new bar and they have been having a few problems.

So far I have found traces of OIN, SpyShredder and Trojan BHO.BNQ. I think I have cleaned most but I would like someone to have a look at the HijackThis if they could please.

Many thanks,

Rich

Logfile of HijackThis v1.99.1
Scan saved at 6:31:30 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\java.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O2 - BHO: (no name) - {EC0AF991-8DC2-4762-B1A3-BD3BB3E965EA} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\abeh.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\jsaadpbq.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Update_0710_KB100205.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)

Comments

  • edited Nov 2007
    Hi Rich and welcome to Icrontic Spyware & Virus Removal

    Please download SDFix by AndyManchesta and save it to your desktop.

    Double-click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix).

    Please then reboot your computer into Safe Mode by doing the following:
    • Restart your computer.
    • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
    • Instead of Windows loading as normal, a menu with options should appear.
    • Select the first option, to run Windows in "Safe Mode", then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, please do the following:
    • Open the extracted folder and double-click RunThis.bat to start the script.
    • Type "Y" to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
    • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please download the ComboFix by sUBs:

    NOTE: In the event you already have ComboFix, this is a new version that you have to download.
    • Save it to your desktop.
    • Double-click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

    After you have completed the above, please provide:
    Report.txt
    Combofix.txt
  • RichDRichD Essex, UK
    edited Nov 2007
    Thanks Peku,

    Here are the logs as requested.

    ComboFix 07-11-08.3 - Runu 2007-11-14 20:18:19.1 - NTFSx86
    Running from: C:\Documents and Settings\Runu\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\check_LSA7.txt
    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
    C:\Program Files\outlook
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\dwuwkfua.exe
    C:\WINDOWS\system32\nqohqaly.exe
    C:\WINDOWS\system32\nugexrca.exe
    C:\WINDOWS\system32\sdr.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_OWLKLFSH
    -------\owlklfsh


    ((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
    .

    2007-11-14 20:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-14 20:05
      d-------- C:\WINDOWS\ERUNT
      2007-11-11 18:30 218,112 --a------ C:\HijackThis.exe
      2007-11-11 18:27 212,843 --a------ C:\hijackthis_199.zip
      2007-11-11 17:18
        d-------- C:\SmitfraudFix
        2007-11-11 17:02
          d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
          2007-11-11 16:45 1,043,074 --a------ C:\SmitfraudFix.exe
          2007-11-11 16:44 2,708 --a------ C:\WINDOWS\system32\tmp.reg
          2007-11-10 21:51
            d-------- C:\Documents and Settings\Staff\Application Data\AVG7
            2007-11-06 16:26
              d-------- C:\WINDOWS\system32\LogFiles
              2007-11-06 14:43
                d-------- C:\Program Files\Common Files\Adobe
                2007-11-05 12:15
                  d-------- C:\WINDOWS\Downloaded Installations
                  2007-11-05 12:15
                    d-------- C:\Program Files\HP
                    2007-11-03 17:08 19,000 --a------ C:\Documents and Settings\Runu\Application Data\GDIPFONTCACHEV1.DAT
                    2007-11-02 12:52 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
                    2007-11-02 03:00
                      d--h----- C:\WINDOWS\$hf_mig$
                      2007-10-31 20:27 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
                      2007-10-31 20:24
                        d-------- C:\WINDOWS\provisioning
                        2007-10-31 20:24
                          d-------- C:\WINDOWS\peernet
                          2007-10-31 20:19
                            d-------- C:\WINDOWS\ServicePackFiles
                            2007-10-31 20:13 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
                            2007-10-31 20:06
                              d-------- C:\WINDOWS\EHome
                              2007-10-27 00:06 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
                              2007-10-27 00:06 4,569 --------- C:\WINDOWS\system32\secupd.dat
                              2007-10-26 23:47 9,600 -ra------ C:\WINDOWS\system32\BUFADPT.SYS
                              2007-10-25 10:07 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
                              2007-10-25 10:07 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
                              2007-10-25 10:07 77,312 --a------ C:\WINDOWS\system32\browser.dll
                              2007-10-25 10:07 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
                              2007-10-25 10:02 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
                              2007-10-25 10:00
                                d--h-c--- C:\WINDOWS\$xpsp1hfm$
                                2007-10-25 10:00 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
                                2007-10-23 19:23
                                  d-------- C:\WINDOWS\system32\bits
                                  2007-10-21 19:45
                                    d-------- C:\Documents and Settings\Runu\Application Data\AVG7
                                    2007-10-21 19:43
                                      d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
                                      2007-10-21 19:41
                                        d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
                                        2007-10-21 19:41 75,248 --a------ C:\WINDOWS\zllsputility.exe
                                        2007-10-21 19:40 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
                                        2007-10-21 13:59
                                          d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
                                          2007-10-21 13:32 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
                                          2007-10-21 13:32 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
                                          2007-10-21 13:32 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
                                          2007-10-21 13:32 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
                                          2007-10-21 13:32 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
                                          2007-10-21 13:29 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
                                          2007-10-21 13:29 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
                                          2007-10-21 13:29 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
                                          2007-10-21 13:29 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
                                          2007-10-21 13:29 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
                                          2007-10-21 13:29 33,624 --a------ C:\WINDOWS\system32\wups.dll
                                          2007-10-19 18:36
                                            d-------- C:\Documents and Settings\All Users\Application Data\Avg7
                                            2007-10-19 18:11
                                              d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
                                              2007-10-19 18:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
                                              2007-10-19 18:08
                                                d-------- C:\Program Files\Lavasoft
                                                2007-10-19 18:08
                                                  d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
                                                  2007-10-19 18:08 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
                                                  2007-10-19 18:04
                                                    d-------- C:\WINDOWS\system32\ZoneLabs
                                                    2007-10-19 18:02
                                                      d-------- C:\Program Files\Common Files\Wise Installation Wizard
                                                      2007-10-19 18:00
                                                        d-------- C:\WINDOWS\Internet Logs
                                                        2007-10-18 22:49
                                                          d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
                                                          2007-10-18 22:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
                                                          2007-10-18 22:36
                                                            d-------- C:\Program Files\Google
                                                            2007-10-18 22:22 6,505 ---hs---- C:\WINDOWS\system32\yycdd.bak1
                                                            2007-10-18 18:46 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
                                                            2007-10-18 18:46 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
                                                            2007-10-18 18:46 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
                                                            2007-10-18 18:46 89,088 --a------ C:\WINDOWS\system32\atl71.dll
                                                            2007-10-16 23:31
                                                              d-------- C:\Documents and Settings\Runu\New Folder
                                                              2007-10-16 04:20 114,130 --a------ C:\WINDOWS\system32\vcrr.exe
                                                              2007-10-16 04:20 15 --a------ C:\WINDOWS\system32\jda.exe
                                                              2007-10-16 03:59 114,130 --a------ C:\WINDOWS\system32\sdcrs.exe
                                                              2007-10-16 01:20 114,131 --a------ C:\WINDOWS\system32\jxh.exe
                                                              2007-10-15 15:45 114,130 --a------ C:\WINDOWS\system32\sdrasd.exe
                                                              2007-10-15 15:45 114,130 --a------ C:\WINDOWS\system32\sdcd.exe
                                                              2007-10-15 15:43 114,131 --a------ C:\WINDOWS\system32\jd.exe

                                                              .
                                                              (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
                                                              .
                                                              2007-11-11 19:24 --------- d-----w C:\Documents and Settings\Runu\Application Data\U3
                                                              2007-11-11 16:43 --------- d-----w C:\Program Files\Thomson
                                                              2007-11-11 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
                                                              2007-11-11 13:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
                                                              2007-11-02 14:08 --------- d-----w C:\Documents and Settings\Runu\Application Data\LimeWire
                                                              2007-11-02 14:05 --------- d-----w C:\Program Files\LimeWire
                                                              2007-10-19 17:31 224,256 ----a-w C:\WINDOWS\kbclient39.dll
                                                              2007-10-18 16:14 633,872 --sha-w C:\WINDOWS\system32\mlnmp.bak2
                                                              2007-10-11 23:00 6,465 --sha-w C:\WINDOWS\system32\mlnmp.bak1
                                                              2007-10-11 22:57 114,131 ----a-w C:\WINDOWS\system32\jsda.exe
                                                              2007-10-10 04:50 --------- d-----w C:\Program Files\Java
                                                              2007-10-10 04:46 --------- d-----w C:\Program Files\Common Files\Java
                                                              2007-10-10 02:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
                                                              2007-10-10 01:35 --------- d-----w C:\Documents and Settings\Runu\Application Data\Talkback
                                                              2007-10-10 01:06 17,792 ----a-w C:\WINDOWS\system32\drivers\angajusx.dat
                                                              2007-10-10 01:05 5,120 ----a-w C:\WINDOWS\system32\drivers\qtfjjoln.dat
                                                              2007-10-10 00:24 114,130 ----a-w C:\WINDOWS\system32\sdcrd32.exe
                                                              2007-10-09 21:32 --------- d-----w C:\Program Files\Labtec
                                                              2007-10-09 21:32 --------- d-----w C:\Program Files\Common Files\InstallShield
                                                              2007-10-06 20:48 --------- d-----w C:\Program Files\SpeedTouch
                                                              2007-10-06 08:11 --------- d-----w C:\Program Files\microsoft frontpage
                                                              2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
                                                              2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UnVudQ\oBpRxk.vbs
                                                              .

                                                              ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
                                                              .
                                                              .
                                                              *Note* empty entries & legit default entries are not shown

                                                              [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D07D42-E584-C273-F141-9B2B54E5D9C8}]

                                                              [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
                                                              C:\WINDOWS\System32\cewmdmf.dll

                                                              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                                              "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 08:11]
                                                              "Java (VM) v6.2"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat" [2007-09-19 02:42]
                                                              "Java (VM) v6.3"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat" [2007-09-27 04:06]
                                                              "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 23:14]
                                                              "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 16:11]
                                                              "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
                                                              "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

                                                              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                                              "Java (VM) v6.2"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat" [2007-09-19 02:42]
                                                              "Java (VM) v6.3"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat" [2007-09-27 04:06]
                                                              "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
                                                              "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
                                                              "Java (VM) v6.2"=
                                                              "Java (VM) v6.3"=

                                                              C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
                                                              Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2005-05-07 21:25:36]

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaxw]
                                                              fccyaxw.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffff]
                                                              hggffff.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcdaa]
                                                              iifcdaa.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbbx]
                                                              iifdbbx.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffdab]
                                                              iiffdab.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgfc]
                                                              iiffgfc.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkljk]
                                                              mljkljk.dll

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturs]
                                                              wvuturs.dll

                                                              R0 owlklfsh;owlklfsh;C:\WINDOWS\system32\drivers\angajusx.dat
                                                              R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
                                                              S2 DNS Logical Manager;DNS Logical Manager;"C:\WINDOWS\system32\svshost.exe"

                                                              *Newly Created Service* - OWLKLFSH

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Meta Enhancer 1.7]
                                                              C:\WINDOWS\nmfcom32.exe
                                                              .
                                                              **************************************************************************

                                                              catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                                                              Rootkit scan 2007-11-14 20:24:49
                                                              Windows 5.1.2600 Service Pack 2 NTFS

                                                              scanning hidden processes ...

                                                              scanning hidden autostart entries ...

                                                              HKLM\Software\Microsoft\Windows\CurrentVersion\Run
                                                              Java (VM) v6.2 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
                                                              Java (VM) v6.3 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
                                                              HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
                                                              Java (VM) v6.2 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
                                                              Java (VM) v6.3 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
                                                              HKCU\Software\Microsoft\Windows\CurrentVersion\Run
                                                              Java (VM) v6.2 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
                                                              Java (VM) v6.3 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

                                                              scanning hidden files ...

                                                              scan completed successfully
                                                              hidden files: 0

                                                              **************************************************************************
                                                              .
                                                              Completion time: 2007-11-14 20:31:47 - machine was rebooted
                                                              .
                                                              --- E O F ---



                                                              SDFix: Version 1.114

                                                              Run by Runu on Wed 11/14/2007 at 08:06 PM

                                                              Microsoft Windows XP [Version 5.1.2600]

                                                              Running From: C:\SDFix\SDFix

                                                              Safe Mode:
                                                              Checking Services:

                                                              Name:
                                                              wlmsngr

                                                              Path:
                                                              "C:\WINDOWS\wlmsngr.exe"

                                                              wlmsngr - Deleted



                                                              Restoring Windows Registry Values
                                                              Restoring Windows Default Hosts File

                                                              Rebooting...


                                                              Normal Mode:
                                                              Checking Files:

                                                              Trojan Files Found:

                                                              C:\WINDOWS\SYSTEM32\WMSOFT~1.EXE - Deleted
                                                              C:\Documents and Settings\Runu\Application Data\WinTouch\wintouch.cfg - Deleted
                                                              C:\WINDOWS\rdrive\aff.exe - Deleted
                                                              C:\WINDOWS\rdrive\apm.exe - Deleted
                                                              C:\WINDOWS\rdrive\rrv.exe - Deleted
                                                              C:\WINDOWS\rdrive\system32.bat - Deleted
                                                              C:\a.bat - Deleted
                                                              C:\dmgr.exe - Deleted
                                                              C:\WINDOWS\b104.exe - Deleted
                                                              C:\WINDOWS\system32\i - Deleted
                                                              C:\WINDOWS\Temp\removalfile.bat - Deleted


                                                              Folder C:\Documents and Settings\Runu\Application Data\WinTouch - Removed
                                                              Folder C:\Program Files\Temporary - Removed
                                                              Folder C:\Program Files\WinAble - Removed
                                                              Folder C:\WINDOWS\rdrive - Removed

                                                              Removing Temp Files...

                                                              ADS Check:

                                                              C:\WINDOWS
                                                              No streams found.

                                                              C:\WINDOWS\system32
                                                              No streams found.

                                                              C:\WINDOWS\system32\svchost.exe
                                                              No streams found.

                                                              C:\WINDOWS\system32\ntoskrnl.exe
                                                              No streams found.



                                                              Final Check:

                                                              catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                                                              Rootkit scan 2007-11-14 20:11:38
                                                              Windows 5.1.2600 Service Pack 2 NTFS

                                                              scanning hidden processes ...

                                                              scanning hidden services & system hive ...

                                                              scanning hidden registry entries ...

                                                              scanning hidden files ...

                                                              scan completed successfully
                                                              hidden processes: 0
                                                              hidden services: 0
                                                              hidden files: 0


                                                              Remaining Services:
                                                              ------------------



                                                              Authorized Application Key Export:

                                                              [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
                                                              "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

                                                              [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
                                                              "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

                                                              Remaining Files:
                                                              ---------------

                                                              File Backups: - C:\SDFix\SDFix\backups\backups.zip

                                                              Files with Hidden Attributes:

                                                              Thu 11 Oct 2007 6,465 A.SH. --- "C:\WINDOWS\system32\mlnmp.bak1"
                                                              Thu 18 Oct 2007 633,872 A.SH. --- "C:\WINDOWS\system32\mlnmp.bak2"
                                                              Thu 18 Oct 2007 6,505 ..SH. --- "C:\WINDOWS\system32\yycdd.bak1"
                                                              Wed 14 Nov 2007 3,109,928 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT5.tmp"
                                                              Sat 3 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT8.tmp"
                                                              Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Runu\Application Data\U3\temp\Launchpad Removal.exe"
                                                              Fri 30 Jul 2004 24,576 A..H. --- "C:\Documents and Settings\Runu\Desktop\runie\ELAN LOUNE\Phone Scripts\~WRL0001.tmp"
                                                              Fri 30 Jul 2004 25,600 A..H. --- "C:\Documents and Settings\Runu\Desktop\runie\ELAN LOUNE\Phone Scripts\~WRL0379.tmp"

                                                              Finished!

                                                              You didn't ask for it but I thought I would add a new hijackthis log too

                                                              Logfile of HijackThis v1.99.1
                                                              Scan saved at 8:39:49 PM, on 11/14/2007
                                                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                                                              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                                                              Running processes:
                                                              C:\WINDOWS\System32\smss.exe
                                                              C:\WINDOWS\system32\winlogon.exe
                                                              C:\WINDOWS\system32\services.exe
                                                              C:\WINDOWS\system32\lsass.exe
                                                              C:\WINDOWS\system32\svchost.exe
                                                              C:\WINDOWS\System32\svchost.exe
                                                              C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                                                              C:\WINDOWS\Explorer.EXE
                                                              C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                                                              C:\WINDOWS\system32\spoolsv.exe
                                                              C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                                                              C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                                                              C:\WINDOWS\system32\svchost.exe
                                                              C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
                                                              C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
                                                              C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                                                              C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
                                                              C:\Program Files\Messenger\msmsgs.exe
                                                              C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\system32\java.exe
                                                              C:\WINDOWS\System32\svchost.exe
                                                              C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                              C:\HijackThis.exe

                                                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
                                                              O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
                                                              O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                              O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
                                                              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                                                              O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
                                                              O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
                                                              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
                                                              O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
                                                              O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
                                                              O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
                                                              O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                                                              O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
                                                              O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
                                                              O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
                                                              O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
                                                              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                                                              O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
                                                              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                                                              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                                                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                                                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                                                              O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                              O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                              O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
                                                              O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
                                                              O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
                                                              O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
                                                              O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
                                                              O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
                                                              O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
                                                              O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
                                                              O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
                                                              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                                                              O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                                                              O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                                                              O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
                                                              O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



                                                              Thanks Again

                                                              Rich
  • edited Nov 2007
    Hi Rich
    Do you know what these directories or programs are?
    C:\WINDOWS\UnVudQ\oBpRxk.vbs

    You currently are running HijackThis from here:
    C:\HijackThis.exe

    Please make a folder here:
    C:\HJT
    and place HijackThis in that folder.

    DO NOT follow the steps below until you have moved HijackThis.
    ------------------------------------------------------------------------------------------------------------------------------
    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
      O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
      O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
      O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
      O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
      O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
      O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
      O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
      O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
      O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
      O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
      O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
      O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
      O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
      O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.
    ------------------------------------------------------------------------------------------------------------------------------

    Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\WINDOWS\system32\yycdd.bak1
    C:\WINDOWS\system32\vcrr.exe
    C:\WINDOWS\system32\jda.exe
    C:\WINDOWS\system32\sdcrs.exe
    C:\WINDOWS\system32\jxh.exe
    C:\WINDOWS\system32\sdrasd.exe
    C:\WINDOWS\system32\sdcd.exe
    C:\WINDOWS\system32\jd.exe
    C:\WINDOWS\kbclient39.dll
    C:\WINDOWS\system32\mlnmp.bak2
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\jsda.exe
    C:\WINDOWS\system32\drivers\angajusx.dat
    C:\WINDOWS\system32\drivers\qtfjjoln.dat
    C:\WINDOWS\system32\sdcrd32.exe
    C:\WINDOWS\System32\cewmdmf.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D07D42-E584-C273-F141-9B2B54E5D9C8}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaxw]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffff]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcdaa]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbbx]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffdab]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgfc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkljk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturs]

    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    image

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • RichDRichD Essex, UK
    edited Nov 2007
    Sorry Peku,

    I have no idea what those files are. I haven't used this computer so have no knowledge of its past use. The bar has recently changed owner so its history is a little merky!

    I will do the above tonight if I get chance. I wil move HJT too but I am just curious as to why it should not be run from C:\

    Thanks for your help
  • edited Nov 2007
    Hi Rich
    That UnVudQ\oBpRxk.vbs......... we remove it later

    Put Hijackthis to its won folder; C:/Hijackthis/Hijackthis.exe This is importatnt for the backups!"

  • RichDRichD Essex, UK
    edited Nov 2007
    Hi Peku,

    Thanks, Logs attached.

    ComboFix 07-11-08.3 - Runu 2007-11-17 12:16:54.2 - NTFSx86
    Running from: C:\Documents and Settings\Runu\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Runu\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\kbclient39.dll
    C:\WINDOWS\System32\cewmdmf.dll
    C:\WINDOWS\system32\drivers\angajusx.dat
    C:\WINDOWS\system32\drivers\qtfjjoln.dat
    C:\WINDOWS\system32\jd.exe
    C:\WINDOWS\system32\jda.exe
    C:\WINDOWS\system32\jsda.exe
    C:\WINDOWS\system32\jxh.exe
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\mlnmp.bak2
    C:\WINDOWS\system32\sdcd.exe
    C:\WINDOWS\system32\sdcrd32.exe
    C:\WINDOWS\system32\sdcrs.exe
    C:\WINDOWS\system32\sdrasd.exe
    C:\WINDOWS\system32\vcrr.exe
    C:\WINDOWS\system32\yycdd.bak1
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\kbclient39.dll
    C:\WINDOWS\system32\jd.exe
    C:\WINDOWS\system32\jda.exe
    C:\WINDOWS\system32\jsda.exe
    C:\WINDOWS\system32\jxh.exe
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\mlnmp.bak2
    C:\WINDOWS\system32\sdcd.exe
    C:\WINDOWS\system32\sdcrd32.exe
    C:\WINDOWS\system32\sdcrs.exe
    C:\WINDOWS\system32\sdrasd.exe
    C:\WINDOWS\system32\vcrr.exe
    C:\WINDOWS\system32\yycdd.bak1
    C:\WINDOWS\system32\drivers\angajusx.dat . . . . failed to delete
    C:\WINDOWS\system32\drivers\qtfjjoln.dat . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_OWLKLFSH
    -------\owlklfsh


    ((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
    .

    2007-11-17 11:49
      d-------- C:\HiJackThis
      2007-11-14 20:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
      2007-11-14 20:05
        d-------- C:\WINDOWS\ERUNT
        2007-11-11 18:27 212,843 --a------ C:\hijackthis_199.zip
        2007-11-11 17:18
          d-------- C:\SmitfraudFix
          2007-11-11 17:02
            d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
            2007-11-11 16:45 1,043,074 --a------ C:\SmitfraudFix.exe
            2007-11-11 16:44 2,708 --a------ C:\WINDOWS\system32\tmp.reg
            2007-11-10 21:51
              d-------- C:\Documents and Settings\Staff\Application Data\AVG7
              2007-11-06 16:26
                d-------- C:\WINDOWS\system32\LogFiles
                2007-11-06 14:43
                  d-------- C:\Program Files\Common Files\Adobe
                  2007-11-05 12:15
                    d-------- C:\WINDOWS\Downloaded Installations
                    2007-11-05 12:15
                      d-------- C:\Program Files\HP
                      2007-11-03 17:08 19,000 --a------ C:\Documents and Settings\Runu\Application Data\GDIPFONTCACHEV1.DAT
                      2007-11-02 12:52 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
                      2007-11-02 03:00
                        d--h----- C:\WINDOWS\$hf_mig$
                        2007-10-31 20:27 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
                        2007-10-31 20:24
                          d-------- C:\WINDOWS\provisioning
                          2007-10-31 20:24
                            d-------- C:\WINDOWS\peernet
                            2007-10-31 20:19
                              d-------- C:\WINDOWS\ServicePackFiles
                              2007-10-31 20:13 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
                              2007-10-31 20:06
                                d-------- C:\WINDOWS\EHome
                                2007-10-27 00:06 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
                                2007-10-27 00:06 4,569 --------- C:\WINDOWS\system32\secupd.dat
                                2007-10-26 23:47 9,600 -ra------ C:\WINDOWS\system32\BUFADPT.SYS
                                2007-10-25 10:07 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
                                2007-10-25 10:07 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
                                2007-10-25 10:07 77,312 --a------ C:\WINDOWS\system32\browser.dll
                                2007-10-25 10:07 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
                                2007-10-25 10:02 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
                                2007-10-25 10:00
                                  d--h-c--- C:\WINDOWS\$xpsp1hfm$
                                  2007-10-25 10:00 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
                                  2007-10-23 19:23
                                    d-------- C:\WINDOWS\system32\bits
                                    2007-10-21 19:45
                                      d-------- C:\Documents and Settings\Runu\Application Data\AVG7
                                      2007-10-21 19:43
                                        d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
                                        2007-10-21 19:41
                                          d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
                                          2007-10-21 19:41 75,248 --a------ C:\WINDOWS\zllsputility.exe
                                          2007-10-21 19:40 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
                                          2007-10-21 13:59
                                            d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
                                            2007-10-21 13:32 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
                                            2007-10-21 13:32 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
                                            2007-10-21 13:32 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
                                            2007-10-21 13:32 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
                                            2007-10-21 13:32 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
                                            2007-10-21 13:29 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
                                            2007-10-21 13:29 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
                                            2007-10-21 13:29 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
                                            2007-10-21 13:29 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
                                            2007-10-21 13:29 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
                                            2007-10-21 13:29 33,624 --a------ C:\WINDOWS\system32\wups.dll
                                            2007-10-19 18:36
                                              d-------- C:\Documents and Settings\All Users\Application Data\Avg7
                                              2007-10-19 18:11
                                                d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
                                                2007-10-19 18:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
                                                2007-10-19 18:08
                                                  d-------- C:\Program Files\Lavasoft
                                                  2007-10-19 18:08
                                                    d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
                                                    2007-10-19 18:08 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
                                                    2007-10-19 18:04
                                                      d-------- C:\WINDOWS\system32\ZoneLabs
                                                      2007-10-19 18:02
                                                        d-------- C:\Program Files\Common Files\Wise Installation Wizard
                                                        2007-10-19 18:00
                                                          d-------- C:\WINDOWS\Internet Logs
                                                          2007-10-18 22:49
                                                            d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
                                                            2007-10-18 22:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
                                                            2007-10-18 22:36
                                                              d-------- C:\Program Files\Google
                                                              2007-10-18 18:46 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
                                                              2007-10-18 18:46 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
                                                              2007-10-18 18:46 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
                                                              2007-10-18 18:46 89,088 --a------ C:\WINDOWS\system32\atl71.dll

                                                              .
                                                              (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
                                                              .
                                                              2007-11-11 19:24 --------- d-----w C:\Documents and Settings\Runu\Application Data\U3
                                                              2007-11-11 16:43 --------- d-----w C:\Program Files\Thomson
                                                              2007-11-11 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
                                                              2007-11-11 13:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
                                                              2007-11-02 14:08 --------- d-----w C:\Documents and Settings\Runu\Application Data\LimeWire
                                                              2007-11-02 14:05 --------- d-----w C:\Program Files\LimeWire
                                                              2007-10-10 04:50 --------- d-----w C:\Program Files\Java
                                                              2007-10-10 04:46 --------- d-----w C:\Program Files\Common Files\Java
                                                              2007-10-10 02:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
                                                              2007-10-10 01:35 --------- d-----w C:\Documents and Settings\Runu\Application Data\Talkback
                                                              2007-10-10 01:06 17,792 ----a-w C:\WINDOWS\system32\drivers\angajusx.dat
                                                              2007-10-10 01:05 5,120 ----a-w C:\WINDOWS\system32\drivers\qtfjjoln.dat
                                                              2007-10-09 21:32 --------- d-----w C:\Program Files\Labtec
                                                              2007-10-09 21:32 --------- d-----w C:\Program Files\Common Files\InstallShield
                                                              2007-10-06 20:48 --------- d-----w C:\Program Files\SpeedTouch
                                                              2007-10-06 08:11 --------- d-----w C:\Program Files\microsoft frontpage
                                                              2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
                                                              2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UnVudQ\oBpRxk.vbs
                                                              .

                                                              ((((((((((((((((((((((((((((( snapshot@2007-11-14_20.30.57.03 )))))))))))))))))))))))))))))))))))))))))
                                                              .
                                                              - 2006-12-19 21:52:18 8,453,632 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
                                                              + 2007-10-26 03:36:51 8,454,656 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
                                                              - 2007-09-27 22:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
                                                              + 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
                                                              - 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
                                                              + 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
                                                              - 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
                                                              + 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
                                                              .
                                                              ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
                                                              .
                                                              .
                                                              *Note* empty entries & legit default entries are not shown

                                                              [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
                                                              C:\WINDOWS\System32\cewmdmf.dll

                                                              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                                              "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 08:11]
                                                              "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 23:14]
                                                              "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 16:11]
                                                              "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
                                                              "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

                                                              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                                              "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
                                                              "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

                                                              C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
                                                              Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2005-05-07 21:25:36]

                                                              R0 owlklfsh;owlklfsh;C:\WINDOWS\system32\drivers\angajusx.dat
                                                              R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
                                                              S4 DNS Logical Manager;DNS Logical Manager;"C:\WINDOWS\system32\svshost.exe"

                                                              *Newly Created Service* - OWLKLFSH

                                                              [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Meta Enhancer 1.7]
                                                              C:\WINDOWS\nmfcom32.exe
                                                              .
                                                              **************************************************************************

                                                              catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                                                              Rootkit scan 2007-11-17 12:23:52
                                                              Windows 5.1.2600 Service Pack 2 NTFS

                                                              scanning hidden processes ...

                                                              scanning hidden autostart entries ...

                                                              scanning hidden files ...

                                                              scan completed successfully
                                                              hidden files: 0

                                                              **************************************************************************
                                                              .
                                                              Completion time: 2007-11-17 12:27:39 - machine was rebooted
                                                              C:\ComboFix2.txt ... 2007-11-14 20:31
                                                              .
                                                              --- E O F ---

                                                              Logfile of HijackThis v1.99.1
                                                              Scan saved at 12:33:35 PM, on 11/17/2007
                                                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                                                              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                                                              Running processes:
                                                              C:\WINDOWS\System32\smss.exe
                                                              C:\WINDOWS\system32\winlogon.exe
                                                              C:\WINDOWS\system32\services.exe
                                                              C:\WINDOWS\system32\lsass.exe
                                                              C:\WINDOWS\system32\svchost.exe
                                                              C:\WINDOWS\System32\svchost.exe
                                                              C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                                                              C:\WINDOWS\Explorer.EXE
                                                              C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                                                              C:\WINDOWS\system32\spoolsv.exe
                                                              C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                                                              C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                                                              C:\WINDOWS\system32\svchost.exe
                                                              C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
                                                              C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
                                                              C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                                                              C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
                                                              C:\Program Files\Messenger\msmsgs.exe
                                                              C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
                                                              C:\WINDOWS\System32\svchost.exe
                                                              C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                              C:\HiJackThis\HijackThis.exe

                                                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
                                                              O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
                                                              O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                                                              O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
                                                              O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
                                                              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
                                                              O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
                                                              O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                                                              O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
                                                              O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
                                                              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                                                              O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
                                                              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                                                              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                                                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                                                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                                                              O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                              O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                              O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
                                                              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                                                              O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                                                              O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                                                              O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • edited Nov 2007
    Hi Rich
    Looks much better
    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
      O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.
    ------------------------------------------------------------------------------------------------------------------------

    Please visit Virustotal
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\system32\drivers\angajusx.dat
    • Click the Open button
    • Click the Send button
    • Do the same for the following File:
    • C:\WINDOWS\system32\drivers\qtfjjoln.dat
    • Copy and paste the results back here please.
    ------------------------------------------------------------------------------------------------------------------------

    Please download ATF Cleaner by Atribune.
    • Save it to your desktop
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

      If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

      If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.
    ------------------------------------------------------------------------------------------------------------------------

    Download Superantispyware (SAS) free home version
    • Install it and double-click the icon on your desktop to run it.
    • It will ask if you want to update the program definitions, click Yes.
    • Under Configuration and Preferences, click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
    • On the main screen, under Scan for Harmful Software click Scan your computer.
    • On the left check C:\Fixed Drive.
    • On the right, under Complete Scan, choose Perform Complete Scan.
    • Click Next to start the scan. Please be patient while it scans your computer.
    • After the scan is complete a summary box will appear. Click OK.
    • Make sure everything in the white box has a check next to it, then click Next.
    • It will quarantine what it found and if it asks if you want to reboot, click Yes.
    • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
    • Click close and close again to exit the program.
    So in your next reply, please include the following:
    VirusTotal results.
    SUPERAntispyware.log
    new HijackThis log

    Please let me know how your pc is now.
  • edited Nov 2007
    Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you.

    Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

    If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
    If you are not the user who started this thread, you must start a new Thread instead :)
Sign In or Register to comment.