By mistake I clicked an Active X download I shouldn't have and now I have a trojan. This trojan disabled my task manager so I have no idea what processes are running. I ran Norton, Adaware SE, Spybot, I went to housecall.trendmicro.com, ran Adaware Away, and I still have the problem. Any help on what I can do to find the trojan and erase it?? Thanks!
Hi klubbhead First, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. After that, please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file. Rename HijackThis(.exe) to scanner(.exe). Next, run scanner(.exe). A window will pop up. • Click on the button which says Main Menu, then Do a system scan and save a logfile. • Please wait for the scan to be completed. • After the scan has completed, a text window will pop up. Please post the contents of this window here. This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved. NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer. Best Regards
Here is the log from ComboFix: Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.586 [GMT -4:00] Running from: C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Chrissy\Cookies\chrissy@ad.yieldmanager[1].txt C:\Documents and Settings\Chrissy\Cookies\chrissy@ad.yieldmanager[2].txt C:\Documents and Settings\Chrissy\Cookies\chrissy@insightexpressai[2].txt C:\Documents and Settings\Chrissy\Cookies\chrissy@www35.vzw[2].txt C:\Documents and Settings\Owner\Application Data\inst.exe C:\Documents and Settings\Owner\Application Data\install.dat C:\Documents and Settings\Owner\Cookies\owner@cmt.us.playstation[1].txt C:\Documents and Settings\Owner\Cookies\owner@etology[2].txt C:\Documents and Settings\Owner\Cookies\owner@myspace[2].txt C:\Documents and Settings\Owner\Cookies\owner@rtm[5].txt C:\Documents and Settings\Owner\Cookies\owner@track.bestbuy[2].txt C:\Documents and Settings\Owner\Cookies\owner@www.shareapic[2].txt C:\Program Files\akl C:\Program Files\akl\akl.dll C:\Program Files\akl\akl.exe C:\Program Files\akl\uninstall.exe C:\Program Files\akl\unsetup.exe C:\Program Files\Inet Delivery C:\Program Files\Inet Delivery\inetdl.exe C:\Program Files\Inet Delivery\intdel.exe C:\Program Files\seekmo C:\Program Files\seekmo\seekmohook.dll C:\Program Files\stc C:\Program Files\stc\csv5p070.exe C:\Program Files\Sysmnt C:\Program Files\Sysmnt\Ssmgr.exe C:\WINDOWS\123messenger.per C:\WINDOWS\180ax.exe C:\WINDOWS\2020search.dll C:\WINDOWS\2020search2.dll C:\WINDOWS\a.bat C:\WINDOWS\adaway.lic C:\WINDOWS\apphelp32.dll C:\WINDOWS\asferror32.dll C:\WINDOWS\asycfilt32.dll C:\WINDOWS\athprxy32.dll C:\WINDOWS\ati2dvaa32.dll C:\WINDOWS\ati2dvag32.dll C:\WINDOWS\audiosrv32.dll C:\WINDOWS\autodisc32.dll C:\WINDOWS\avifile32.dll C:\WINDOWS\avisynthex32.dll C:\WINDOWS\aviwrap32.dll C:\WINDOWS\base64.tmp C:\WINDOWS\bdn.com C:\WINDOWS\bjam.dll C:\WINDOWS\bokja.exe C:\WINDOWS\browserad.dll C:\WINDOWS\cdsm32.dll C:\WINDOWS\changeurl_30.dll C:\WINDOWS\default.htm C:\WINDOWS\FLEOK C:\WINDOWS\FLEOK\180ax.exe C:\WINDOWS\FVProtect.exe C:\WINDOWS\Installer\id53.exe C:\WINDOWS\iTunesMusic.exe C:\WINDOWS\licencia.txt C:\WINDOWS\msa64chk.dll C:\WINDOWS\msapasrc.dll C:\WINDOWS\mslagent C:\WINDOWS\mslagent\2_mslagent.dll C:\WINDOWS\mslagent\mslagent.exe C:\WINDOWS\mslagent\uninstall.exe C:\WINDOWS\mspphe.dll C:\WINDOWS\mssecu.exe C:\WINDOWS\mssvr.exe C:\WINDOWS\ntnut.exe C:\WINDOWS\saiemod.dll C:\WINDOWS\salm.exe C:\WINDOWS\shdocpe.dll C:\WINDOWS\shdocpl.dll C:\WINDOWS\stcloader.exe C:\WINDOWS\swin32.dll C:\WINDOWS\system32\akttzn.exe C:\WINDOWS\system32\anticipator.dll C:\WINDOWS\system32\awtoolb.dll C:\WINDOWS\system32\bdn.com C:\WINDOWS\system32\bsva-egihsg52.exe C:\WINDOWS\system32\dpcproxy.exe C:\WINDOWS\system32\emesx.dll C:\WINDOWS\system32\h@tkeysh@@k.dll C:\WINDOWS\system32\hoproxy.dll C:\WINDOWS\system32\hxiwlgpm.dat C:\WINDOWS\system32\hxiwlgpm.exe C:\WINDOWS\system32\ijjlm.ini C:\WINDOWS\system32\ijjlm.ini2 C:\WINDOWS\system32\medup012.dll C:\WINDOWS\system32\medup020.dll C:\WINDOWS\system32\msgp.exe C:\WINDOWS\system32\msixu.dll C:\WINDOWS\system32\msnbho.dll C:\WINDOWS\system32\MSNSA32.dll C:\WINDOWS\system32\mssecu.exe C:\WINDOWS\system32\msvchost.exe C:\WINDOWS\system32\mtr2.exe C:\WINDOWS\system32\mwin32.exe C:\WINDOWS\system32\netode.exe C:\WINDOWS\system32\newsd32.exe C:\WINDOWS\system32\ntnut32.exe C:\WINDOWS\system32\ps1.exe C:\WINDOWS\system32\psof1.exe C:\WINDOWS\system32\psoft1.exe C:\WINDOWS\system32\regc64.dll C:\WINDOWS\system32\regm64.dll C:\WINDOWS\system32\Rundl1.exe C:\WINDOWS\system32\shdocpe.dll C:\WINDOWS\system32\SIPSPI32.dll C:\WINDOWS\system32\smp C:\WINDOWS\system32\smp\msrc.exe C:\WINDOWS\system32\sncntr.exe C:\WINDOWS\system32\ssurf022.dll C:\WINDOWS\system32\ssvchost.com C:\WINDOWS\system32\ssvchost.exe C:\WINDOWS\system32\sysreq.exe C:\WINDOWS\system32\taack.dat C:\WINDOWS\system32\taack.exe C:\WINDOWS\system32\temp#01.exe C:\WINDOWS\system32\thun.dll C:\WINDOWS\system32\thun32.dll C:\WINDOWS\system32\VBIEWER.OCX C:\WINDOWS\system32\vbsys2.dll C:\WINDOWS\system32\vcatchpi.dll C:\WINDOWS\system32\wer8274.dll C:\WINDOWS\system32\winfrun32.bin C:\WINDOWS\system32\winlogonpc.exe C:\WINDOWS\system32\winsystem.exe C:\WINDOWS\system32\WINWGPX.EXE C:\WINDOWS\telefonos.txt C:\WINDOWS\textos.txt C:\WINDOWS\updatetc.exe C:\WINDOWS\userconfig9x.dll C:\WINDOWS\voiceip.dll C:\WINDOWS\winsb.dll C:\WINDOWS\winsystem.exe C:\WINDOWS\zip1.tmp C:\WINDOWS\zip2.tmp C:\WINDOWS\zip3.tmp C:\WINDOWS\zipped.tmp . ((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 ))))))))))))))))))))))))))))))) . 2008-09-12 00:32 . 2008-09-12 00:34 <DIR> d-------- C:\Program Files\Adware Away 2008-09-11 23:11 . 2008-09-12 00:26 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6 2008-09-11 18:28 . 2008-09-11 18:28 98,304 --a------ C:\WINDOWS\system32\gjsdyfwv.exe 2008-09-10 11:17 . 2008-09-10 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wpghshwt 2008-09-10 11:15 . 2008-09-10 11:16 <DIR> d-------- C:\Program Files\SAV 2008-08-28 18:55 . 2008-08-28 19:16 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-15 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-09-14 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-09-12 07:16 --------- d-----w C:\Program Files\eMule 2008-09-11 22:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-09-02 00:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\RipIt4Me 2008-08-15 08:13 --------- d-----w C:\Program Files\DivX 2008-08-14 06:56 --------- d-----w C:\Program Files\eRightSoft 2008-08-14 06:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xi 2008-08-14 06:46 --------- d-----w C:\Program Files\Xi 2008-08-14 04:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\DVD Flick 2008-08-13 04:41 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-03 05:46 --------- d-----w C:\Program Files\Moyea 2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-07-22 06:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Moyea 2008-07-22 06:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\FLV Extract 2008-07-22 05:32 --------- d-----w C:\Program Files\Common Files\AVSMedia 2008-07-22 05:32 --------- d-----w C:\Program Files\AVS4YOU 2008-07-22 05:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVS4YOU 2008-07-22 05:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2007-09-03 23:43 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2007-07-24 17:59 32,800 ----a-w C:\Documents and Settings\Chrissy\Application Data\GDIPFONTCACHEV1.DAT 2007-06-10 05:43 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys 2007-03-01 04:02 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe 2006-10-28 18:58 31,743 ----a-w C:\Documents and Settings\Owner\vd.exe 2006-10-28 18:58 29,696 ----a-w C:\Documents and Settings\Owner\drip.exe 2006-10-28 18:58 0 ----a-w C:\Documents and Settings\Owner\dempaa.dll 2006-09-18 19:11 33,184 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll 2008-03-16 12:30 216,064 --sh--r C:\WINDOWS\system32\nbDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-04 2904064] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-03-04 46080] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 155648] "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-12 135168] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 37376] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SoundMan"="SOUNDMAN.EXE" [2003-08-16 C:\WINDOWS\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2004-03-04 C:\WINDOWS\system32\nwiz.exe] "nForce Tray Options"="sstray.exe" [2003-09-04 C:\WINDOWS\system32\sstray.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "QuJew7Q01s"="C:\Documents and Settings\All Users\Application Data\wpghshwt\opcnifmz.exe" [2008-09-10 65536] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I420"= i420vfw.dll "vidc.3iv2"= 3ivxVfWCodec.dll "VIDC.HFYU"= huffyuv.dll "VIDC.VP31"= vp31vfw.dll "vidc.yv12"= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= *Newly Created Service* - CATCHME *Newly Created Service* - COMHOST *Newly Created Service* - PROCEXP90 . - - - - ORPHANS REMOVED - - - - BHO-{8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) BHO-{ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file) HKCU-Run-AnyDVD - C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe HKCU-Run-Steam - C:\Program Files\Steam\Steam.exe HKLM-Run-sys10-866305891 - C:\WINDOWS\sys10-866305891.exe HKLM-Run-ms065891-86630 - C:\WINDOWS\ms065891-86630.exe HKLM-Run-ms04305891-866 - C:\WINDOWS\ms04305891-866.exe HKLM-Run-CloneDVDElbyDelay - C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.hotmail.com/ R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.di.fm/ R1 -: HKCU-Internet Settings,ProxyOverride = localhost O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 -: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 -: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 -: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O16 -: {BA00165E-C903-11D3-BD27-0050048A82BF} - hxxp://chat.caleris.com/netagent/objects/CustAppX.CAB C:\WINDOWS\Downloaded Program Files\custappx.inf C:\WINDOWS\Downloaded Program Files\custappx.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-15 13:48:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-15 13:50:35 ComboFix-quarantined-files.txt 2008-09-15 17:50:31 Pre-Run: 87,692,693,504 bytes free Post-Run: 87,763,103,744 bytes free 289 --- E O F --- 2008-09-10 21:10:49
Hi you Download Malwarebytes' Anti-Malware and scan. Remember to update before scan! Scan and send the logfile here
This is the log for HiJack This Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:18:35 PM, on 9/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTSvcCDA.EXE C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Documents and Settings\All Users\Application Data\wpghshwt\opcnifmz.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.di.fm/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKLM\..\Policies\Explorer\Run: [QuJew7Q01s] C:\Documents and Settings\All Users\Application Data\wpghshwt\opcnifmz.exe O4 - HKUS\S-1-5-21-930119199-483246409-1548670093-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Chrissy') O4 - HKUS\S-1-5-21-930119199-483246409-1548670093-1010\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'Chrissy') O4 - HKUS\S-1-5-21-930119199-483246409-1548670093-1010\..\Run: [shmonhlp] C:\WINDOWS\system32\gjsdyfwv.exe (User 'Chrissy') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {BA00165E-C903-11D3-BD27-0050048A82BF} (eShare Technologies NetAgent Customer ActiveX Control) - http://chat.caleris.com/netagent/objects/CustAppX.CAB O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 8605 bytes
@temple69 While I appreciate the attempt to help klubbhead, giving instructions in the middle of a thread can be disrupting and even harmful, so I would appreciate it even more if you could post your posts as "opinions" instead of instructions. Hey klubbhead Disable all security programs. Open Notepad and copy/paste the text in the code box below into it: Code: KILLALL:: File:: C:\WINDOWS\system32\gjsdyfwv.exe C:\Documents and Settings\All Users\Application Data\wpghshwt\opcnifmz.exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "QuJew7Q01s"=- Save this as CFScript.txt in the same folder as ComboFix Then drag the CFScript.txt into Combo-Fix.exe. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. ********************************************************** Next, please download Superantispyware Free and install it. Follow the prompts and reboot if required. Launch Superantispyware Free either by running C:\Program Files\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware... Configuring SuperAntispyware • Click on Preferences. • In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run. • Navigate to the tab Scanning Control. • Make sure only these boxes are checked: Code: Close browsers before scanning Scan for tracking cookies Terminate memory threats before quarantining Scan Alternate Data Streams Use Kernel Direct File Access (recommended) Use Kernel Direct Registry Access (recommended) Use Direct Disk Access (recommended) • Click on Close. Updating SuperAntispyware • At the main window, click on Check for Updates.... • Wait for SuperAntispyware to be fully updated. Scanning Time • Boot into {b}safe mode[/b] by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode. • Launch SuperAntispyware. • At the main window, click on Scan your Computer.... • Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next. • Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items. • Reboot your computer. Post A Log • Launch SuperAntispyware • Click on Preferences • Navigate to the tab Statistics/Logs. • Choose the latest scan log, and the click on View Log.... • Copy and paste the contents of the log here in your next post. How's your computer doing now? Best Regards
