0

My friends computer was just infected with a virus that gave him the "blue screen of death" but combofix miraculously revived his PC. Please help clean up his computer. This post is a HJT log folowed by his combofix log. Thank You VERY much in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:24 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet E xplorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebP rint\Toolband.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\ ..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Toolbox] C:\WINDOWS\system32\tqcair.exe
O4 - HKLM\..\Run: [RunAppBk] C:\windows\rsp.exe
O4 - HKLM\..\Run: [AntiVirusUpdateExe] c:\windows\rsp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run : [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak Easy Share\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ts/menusearch.jhtml?p=ZC
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-1 8CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewa ll Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
--
End of file - 8310 bytes


ComboFix 07-12-19.2 - Owner 2007-12-18 20:35:07.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner.\SecMon.sys
C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SECURITYMONITORINGDRIVER
-------\SecurityMonitoringDriver

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.
2007-12-18 20:16 . 2007-12-18 20:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 15:31 . 2005-09-26 18:07 18,771,968 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2007-12-04 15:31 . 2005-09-26 18:07 3,644,800 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-12-04 15:31 . 2004-08-04 02:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-12-04 15:31 . 2004-08-04 02:15 140,928 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-12-04 15:31 . 2004-08-04 03:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-04 15:31 . 2005-09-26 18:07 90,112 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-12-04 15:31 . 2004-08-04 02:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-04 15:31 . 2004-08-04 02:08 48,640 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-12-04 15:31 . 2004-08-04 03:56 23,552 --a------ C:\WINDOWS\system32\wdmaud.drv
2007-12-04 15:31 . 2004-08-04 03:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-02 14:33 . 2004-08-04 14:00 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-12-02 14:33 . 2004-08-04 14:00 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-12-02 14:33 . 2004-08-04 14:00 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-12-02 14:33 . 2004-08-04 14:00 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-12-02 14:33 . 2004-08-04 14:00 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-11-26 13:01 . 2007-11-26 13:01 <DIR> d-------- C:\Program Files\Thomson
2007-11-26 13:01 . 2007-11-26 13:01 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-26 13:00 . 2007-11-26 13:01 <DIR> d-------- C:\Documents an d Settings\Owner\Application Data\acccore
2007-11-25 11:07 . 2007-11-25 11:07 <DIR> d-------- C:\WINDOWS\wt
2007-11-25 10:22 . 2007-11-25 10:22 <DIR> d-------- C:\Program Files\WildTangent
2007-11-25 10:22 . 2007-11-25 10:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-23 07:48 . 2007-11-26 03:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 20:33 --------- d-----w C:\Program Files\Creative
2007-12-01 22:41 9,340 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-11-26 18:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-26 18:01 --------- d-----w C:\Program Files\Real
2007-11-26 18:01 --------- d-----w C:\Program Files\Common Files\Real
2007-11-26 18:01 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-26 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-26 18:00 --------- d-----w C:\Program Files\Viewpoint
2007-11-26 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewp oint
2007-11-25 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 22:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore(2)
2007-11-03 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-10-23 13:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE05B815-6F98-4ADD-AEB7-60BB2D4264F1}]
2006-03-21 00:35 449024 --a------ c:\WINDOWS\bh.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIP"="C:\WINDOWS\aip.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 14:00 C:\WINDOWS\system32\rundll32.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 01:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"MSKAGENTEXE"="C:\PR OGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 13:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 15:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 17:00]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 04:34]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 13:31]
"LyraHD2TrayApp"="C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"HP Toolbox"="C:\WINDOWS\system32\tqcair.exe" [2007-02-21 18:20]
"HP Toolbox"="C:\WINDOWS\system32\tqcair.exe" [2007-02-21 18:20]
"AntiVirusUpdateExe"="c:\windows\rsp.exe" [2007-03-15 16:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\re alsched.exe" []
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-08-08 18:37:33]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Kodak Easy Share\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 02:47:22]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-07-08 17:26:23]
R1 SecurityMonitoringDriver;SecurityMonitoringDriver;C:\Documents and Settings\Owner\SecMon.sys []
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]
S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-11-24 13:34]
S3 PAC207;Webcam Basic;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-04-08 10:46]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e950e41-676f-11da-bd18-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5c14241-716c-11da-af7c-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
*Newly Created Service* - SECURITYMONITORINGDRIVER
.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 12:04:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 20:40:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\rsp.exe [2112] 0x82517DA0
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\SecMon.sys 5120 bytes executable
C:\WINDOWS\tjAgent.exe 192512 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"RunAppBk"="C:\\windows\\rsp.exe"
.
Completion time: 2007-12-18 20:43:33 - machine was rebooted
.
2007-11-26 08:03:04 --- E O F ---

2
Contributors
1
Reply
2
Views
9 Years
Discussion Span
Last Post by crunchie
0

Can you please do the following.

===============

Go to Add/Remove programs and uninstall the following, if present:

MyWebSearch

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet E xplorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll

O4 - HKLM\..\Run: [HP Toolbox] C:\WINDOWS\system32\tqcair.exe
O4 - HKLM\..\Run: [RunAppBk] C:\windows\rsp.exe
O4 - HKLM\..\Run: [AntiVirusUpdateExe] c:\windows\rsp.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ts/menusearch.jhtml?p=ZC


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

c:\WINDOWS\bh.dll
C:\WINDOWS\system32\tqcair.exe
C:\windows\rsp.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.