Virus/Spyware Removal

Posted on 2008-06-23
Medium Priority
Last Modified: 2013-12-06
I've just ran AVG and removed items.  Can someone please look at my hijackthis log and make see if it looks clean.  Thanks.
Question by:PCGalOfCal
  • 6
  • 6
  • 2
  • +1

Author Comment

ID: 21850736
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:17 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32} - C:\DOCUME~1\Jay\Desktop\mwie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [92731671071946491856519139946260] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107841019452
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

End of file - 7615 bytes

Expert Comment

ID: 21850914
for future reference, attaching the file would be easier to read, anywho:
all process look fine (assuming you want google toolbar)

i have no idea what wormradar.com is so you might want to remove that BHO
you could remove google toolbar and yahoo tollbar if you don't want them

O4 - HKCU\..\Run: [92731671071946491856519139946260] C:\Program Files\XP Antivirus\xpa.exe

dont know what that is, might want to remove it, looks fishy.
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
same for that, look it up

everything else looks fine.  however, if you know you were infected, i would be more throught than an AVG scan and hijack this.  try running clamscan (it doesn't have an active agent so you can install with avg).  run a windows defender scan, maybe some other spyware too.

but to answer your question...in general, it looks fine.
LVL 47

Expert Comment

ID: 21851278
If XP Antivirus still active SDFix also removes it.

Download SDFix and save it to your desktop.(either one below)

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

If you don't know this BHO also fix it.
O2 - BHO: (no name) - {5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32} - C:\DOCUME~1\Jay\Desktop\mwie.dll
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 47

Expert Comment

ID: 21851298
>>>O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
same for that, look it up<<<

The above entry is legit, part of Adobe Reader.
LVL 23

Expert Comment

ID: 21851625
"...i have no idea what wormradar.com is so you might want to remove that BHO..."

Worm radar is a legit component of AVG 8.0.

Author Comment

ID: 21851958
I'm still infected with something, it just popped up. AVG says the file name is autorun.inf (I think, it's closed now).  Originally it was XP antivirus. Anyway, I'm running sdfix and will post back.  Thanks.

Author Comment

ID: 21852147
SDFix text file

Expert Comment

ID: 21852225
i've never used sdfix before, but from what i can tell it looks ok, maybe the original poster will know more.
anyways, if you are still infected, it is best to run a pre-load scan such as avast's boot-time scanner or similar.  you could check out some of the boot CDs available such as bartPE and other bootable cds with virus scanning.
LVL 47

Expert Comment

ID: 21853984
Let's use Combofix.
download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply as "Code Snippet".
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

This link tells you How to use Combofix as well as installing RC if you haven't yet.

Author Comment

ID: 21855359
ComboFix 08-06-20.4 - Jay 2008-06-24  6:07:58.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.133 [GMT -7:00]
Running from: C:\Documents and Settings\Jay\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Jay\err.log

(((((((((((((((((((((((((   Files Created from 2008-05-24 to 2008-06-24  )))))))))))))))))))))))))))))))

2008-06-23 20:04 . 2008-06-23 21:30      <DIR>      d--------      C:\Documents and Settings\Jay\.housecall6.6
2008-06-23 18:59 . 2008-06-23 18:59      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-06-23 18:40 . 2008-06-23 19:19      <DIR>      d--------      C:\SDFix
2008-06-23 13:36 . 2008-06-23 20:31      <DIR>      d--h-----      C:\$AVG8.VAULT$
2008-06-23 13:28 . 2008-06-23 13:28      96,520      --a------      C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-23 13:28 . 2008-06-23 13:28      75,272      --a------      C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-23 13:28 . 2008-06-23 13:28      10,520      --a------      C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 13:27 . 2008-06-23 13:34      <DIR>      d--------      C:\WINDOWS\system32\drivers\Avg
2008-06-23 13:27 . 2008-06-23 13:27      <DIR>      d--------      C:\Program Files\AVG
2008-06-23 13:27 . 2008-06-23 14:53      <DIR>      d--------      C:\Documents and Settings\Jay\Application Data\AVGTOOLBAR
2008-06-23 13:27 . 2008-06-23 13:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\avg8
2008-06-22 15:55 . 2008-06-22 15:55      <DIR>      d--------      C:\Program Files\Windows Defender
2008-06-22 15:48 . 2008-06-22 15:48      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-22 15:47 . 2008-06-22 15:47      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 15:45 . 2008-06-22 15:49      <DIR>      d--------      C:\Program Files\Eusing Free Registry Cleaner
2008-06-21 09:55 . 2008-06-21 09:55      <DIR>      d--h-----      C:\WINDOWS\system32\GroupPolicy
2008-06-11 03:02 . 2008-06-11 03:02      276      --a------      C:\WINDOWS\system32\MRT.INI
2008-06-10 16:53 . 2008-06-13 06:10      272,128      -----c---      C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 05:57 . 2008-06-18 18:42      124,409      -r-hs----      C:\f.bat

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-06-22 23:04      ---------      d-----w      C:\Program Files\Common Files\DriveCleaner 2006 Free
2008-06-20 23:18      ---------      d-----w      C:\Program Files\DivX
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-05-11 03:34      ---------      d-----w      C:\Program Files\Safari
2008-05-11 03:31      ---------      d-----w      C:\Program Files\Apple Software Update
2008-05-09 15:35      ---------      d-----w      C:\Documents and Settings\Jay\Application Data\AdobeUM
2008-05-08 12:28      202,752      ----a-w      C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18      1,287,680      ----a-w      C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16      826,368      ----a-w      C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12      151,583      ----a-w      C:\WINDOWS\system32\msjint40.dll
2001-11-23 04:08      712,704      ----a-r      C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32}]
2008-06-16 16:21      487936      --a------      C:\DOCUME~1\Jay\Desktop\mwie.dll

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 02:58 68856]

"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 03:15 106496]
"SiSPower"="SiSPower.dll" [2004-09-01 22:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:31 208952]
"IMEKRMIG6.1"="" []
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 04:39 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 04:39 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 04:39 455168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-23 13:27 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-22 11:02:24 98304]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-22 11:02:24 98304]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-11-30 14:04:48 114688]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-02-07 23:39:17 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-23 13:28]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-23 13:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-23 13:27]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-23 13:28]

\Shell\AutoRun\command - F:\DTSP_Launcher.exe

\Shell\AutoRun\command - F:\ek.com
\Shell\explore\Command - F:\ek.com
\Shell\open\Command - F:\ek.com

\Shell\AutoRun\command - G:\DTSP_Launcher.exe

\Shell\AutoRun\command - H:\nncu6kk.com
\Shell\explore\Command - H:\nncu6kk.com
\Shell\open\Command - H:\nncu6kk.com

\Shell\AutoRun\command - F:\nncu6kk.com
\Shell\explore\Command - F:\nncu6kk.com
\Shell\open\Command - F:\nncu6kk.com

\Shell\AutoRun\command - F:\1i.com
\Shell\explore\Command - F:\1i.com
\Shell\open\Command - F:\1i.com

\Shell\AutoRun\command - F:\cubp.bat
\Shell\explore\Command - F:\cubp.bat
\Shell\open\Command - F:\cubp.bat

Contents of the 'Scheduled Tasks' folder
"2008-06-18 02:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-24 08:47:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 06:10:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2008-06-24  6:12:40
ComboFix-quarantined-files.txt  2008-06-24 13:12:17

Pre-Run: 25,169,117,184 bytes free
Post-Run: 25,298,223,104 bytes free

139      --- E O F ---      2008-06-21 01:46:22
LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 21856302
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

DriveCleaner 2006 Free

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32}]

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

After you've done that, runFlash_Disinfector, it
Download Flash_Disinfector.exe by sUBs.
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future spread of infection.

Author Comment

ID: 21857118
Thank you everyone for your time and comments.
LVL 47

Expert Comment

ID: 21861985
I assume problem's been resolved.

Please uninstall combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u


Author Comment

ID: 21866046
I already returned pc to client.  I did delete combo fix icons from root of c and also the desktop but I did not un-install it properly. Oppps.  Shouldn't matter as long as they don't find it and run it, correct?  Thanks
LVL 47

Expert Comment

ID: 21870750
>>>as long as they don't find it and run it, correct?<<<
it's okay, don't worry about it, thanks.

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question