Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spyware controlling my computer - HELP plz!!!

Status
Not open for further replies.
Sbaugh

Sbaugh

Technical User
Joined
Feb 25, 2004
Messages
20
Location
US
I am having a heck of a time getting rid of this spyware bot that starts up at a reboot. Seems to be hiding behind Rundll32.exe - I can remove it and my search engines starts working again, but only for a short while because it starts back up. I have used the Hackthis to remove it from the registry, I have used Spybot, Ad-ware, Reg cure, Regcleaner, Norton Anti-virus, Online Trojan (a-squared). Nothing has been able to touch this one. I can't find any information on this hrouxntu.dll or xrjehsuw.dll anywhere.

I removed the hrouxntu.dll from my windows\system32 directory and now its trying to us xrjehsuw.dll - that too does not give me any hits.

its located in HKLM\Run\BMbb516eeb - C:\Windows\System32\*.dll

The xrjehsu.dll cannot be removed and I can't find ANY info on this at all and have not found a program to fix this problem yet either.

Does anyone have any suggestions at this point? I have searched the web and can usually find something, but I can't find anything anymore.

Thanks,

Scott Baugh, CSWP [pc2]
 
Sort by date Sort by votes
Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
OK here is my log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:08 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
K:\Download\Hijack Software\HijackThis.exe
C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - (no file)
O2 - BHO: (no name) - {A829735A-1E01-418E-9EB6-F8622E7647FA} - C:\WINDOWS\system32\opnMGyWm.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [BMbb516eeb] Rundll32.exe "C:\WINDOWS\system32\xrjehsuw.dll",s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O15 - Trusted Zone: O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - O20 - Winlogon Notify: kHawTmLE - kHawTmLE.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDMWorks Workgroup Server - Dassault Systemes - C:\Program Files\SolidWorks (2)\PDMWorks Workgroup Server\Vault\pdmwService.exe

--
End of file - 5702 bytes

Thanks!!!

Scott Baugh, CSWP [pc2]
 
Upvote 0 Downvote
Please download
SmitfraudFix
(by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.




You should print out these instructions, or copy them to a NotePad file for
reading while in Safe Mode, because you will not be able to connect to the
Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following
:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and
double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter"
to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the
registry?"; answer "Yes" by typing Y and press "Enter" in order to
remove the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be
prompted to replace the infected file (if found); answer "Yes" by typing
Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process;
please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at
C:\rapport.txt

Warning: running option #2 on a non infected computer
will remove your Desktop background.



Download SDFix and save it to your Desktop.


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should
appear;
* Select the first option, to run Windows in Safe Mode, then press
Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start
the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds
then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the
removal process then display Finished, press any key to end the script and
load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and
also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on
the forum).
* Finally paste the contents of the Report.txt back on the forum with a
new HijackThis log

_____________________________________________________________________

NOTE: If you have downloaded ComboFix previously please delete that
version and download it again!



Download ComboFix from
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe"]Here[/URL]
or
Here
to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just
before Windows starts to load. If done right a Windows Advanced Options menu
will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a
    HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its
running. That may cause it to stall



post a new hijack this log, the combo, the smitfraud and the sdfix log!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
you did turn off System Restore?
 
Upvote 0 Downvote
Don't turn off system restore just now, we will flush it later, best to have a restore point to go back to than nothing at all!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Well I followed the above pechenegs. I am still seeing some of the adware crap and I am still however locked out of doing a google or yahoo search. I was able to try it once and it worked in IE. I tested Mozilla and it will not search. just keeps saying in the lower left hand corner of the Browser "read IE same thing now... it will not search either, nor can I use any other search engine. Yahoo, Dogpile, excite, sites are all blocked out and I cannot enter any of them. Google comes up as its my home page, but searching does not work. I can however go to any other site I choose too.

Any other ideas what we cause my system to lock out search engine sites and this adware that will not go away.

AVG found some thing called "LOP", but I can't find a repair for that either.

Thanks,

Scott Baugh, CSWP [pc2]
 
Upvote 0 Downvote
did you run the fixes above? You need to post all the logs I requested!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Yes I did run everything I will get you the logs for each... sorry I missed that.

Thanks!

ComboFix:

ComboFix 08-04-15.1 - Scott 2008-04-15 18:07:24.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1743 [GMT -5:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\jpaoqqrv.dll
C:\WINDOWS\system32\mWyGMnpo.ini
C:\WINDOWS\system32\mWyGMnpo.ini2
C:\WINDOWS\system32\opnMGyWm.dll
C:\WINDOWS\system32\wccxwshe.dll
C:\WINDOWS\system32\xrjehsuw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 16:15 . 2008-04-15 16:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-15 15:46 . 2008-04-15 16:37 <DIR> d-------- C:\SDFix
2008-04-15 15:33 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-15 15:33 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-15 15:33 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-15 15:33 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-15 15:33 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-15 15:33 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-15 15:33 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-15 15:33 . 2008-04-15 15:33 2,262 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-15 13:09 . 2008-04-15 13:09 13,778 --a------ C:\Please download.docx
2008-04-15 12:38 . 2008-04-15 12:38 401,720 --a------ C:\HiJackThis.exe
2008-04-15 11:19 . 2008-04-15 11:19 921 --a------ C:\WINDOWS\QSFVExit.bat
2008-04-15 10:01 . 2008-04-15 10:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-14 13:25 . 2008-04-14 13:25 3,648 --a------ C:\WINDOWS\system32\ayishxjg.dll
2008-04-13 13:23 . 2008-04-13 13:23 3,648 --a------ C:\WINDOWS\system32\nwytgoox.dll
2008-04-12 13:21 . 2008-04-15 18:02 101,119 --a------ C:\WINDOWS\BMbb516eeb.xml
2008-04-12 13:21 . 2008-04-12 13:21 3,648 --a------ C:\WINDOWS\system32\wnpdoujm.dll
2008-04-12 01:13 . 2008-04-12 23:49 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\LimeWire
2008-04-05 18:03 . 2008-04-05 18:03 <DIR> d-------- C:\Program Files\ProVenture
2008-04-05 18:03 . 2008-04-05 18:03 <DIR> d-------- C:\Program Files\Common Files\MySoftware
2008-04-05 18:03 . 1995-03-03 00:00 348,160 --------- C:\WINDOWS\system32\MFC30.DLL
2008-04-05 18:03 . 1998-05-13 18:49 72,704 --a------ C:\WINDOWS\system32\odbctl32.dll
2008-04-05 18:03 . 2002-05-13 10:47 53,248 --------- C:\WINDOWS\system32\regdll.dll
2008-04-05 18:03 . 1999-07-01 22:55 46,517 --a------ C:\WINDOWS\system32\msorcl32.hlp
2008-04-05 18:03 . 1999-07-01 23:02 37,062 --a------ C:\WINDOWS\system32\odbcinst.hlp
2008-04-05 18:03 . 1999-07-01 22:55 1,731 --a------ C:\WINDOWS\system32\msorcl32.cnt
2008-04-05 18:03 . 1999-07-01 23:02 324 --a------ C:\WINDOWS\system32\odbcinst.cnt
2008-03-30 18:11 . 2008-03-30 18:15 <DIR> d-------- C:\FlexLM
2008-03-22 20:40 . 2008-04-12 23:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 20:40 . 2008-03-22 20:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-18 15:56 . 2008-03-18 15:56 <DIR> d-------- C:\Program Files\SolidWorks (2)
2008-03-18 07:38 . 2008-03-18 07:38 <DIR> d-------- C:\Program Files\SolidWorks08_3.1
2008-03-17 22:31 . 2008-03-18 07:39 <DIR> d-------- C:\Program Files\Common Files\Solidworks Data08
2008-03-17 22:29 . 2008-03-18 16:13 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Installation Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 17:06 --------- d-----w C:\Documents and Settings\Scott\Application Data\AVG7
2008-04-15 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-14 01:31 --------- d-----w C:\Program Files\dvdSanta
2008-04-13 04:49 --------- d-----w C:\Documents and Settings\Scott\Application Data\uTorrent
2008-04-12 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 06:13 --------- d-----w C:\Program Files\LimeWire
2008-04-11 03:34 --------- d-----w C:\Documents and Settings\Scott\Application Data\IM
2008-04-08 17:44 --------- d-----w C:\Documents and Settings\Scott\Application Data\SolidWorks
2008-04-05 23:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-05 23:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 21:01 --------- d-----w C:\Program Files\SolidWorks
2008-03-18 21:01 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared
2008-03-18 21:01 --------- d-----w C:\Program Files\Common Files\eDrawings2008
2008-03-18 03:41 --------- d-----w C:\Program Files\SolidWorks08
2008-03-10 06:26 --------- d-----w C:\Documents and Settings\Scott\Application Data\U3
2008-03-10 00:45 --------- d-----w C:\Program Files\Palm
2008-03-09 00:29 --------- d-----w C:\Documents and Settings\Scott\Application Data\Arcsoft
2008-03-08 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\HotSync
2008-03-08 02:59 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2008-03-08 02:59 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-03-08 02:59 --------- d-----w C:\Documents and Settings\Scott\Application Data\HotSync
2008-02-29 05:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-24 05:25 --------- d-----w C:\Program Files\Common Files\AliasWavefront Shared
2008-02-24 05:15 --------- d--h--w C:\Program Files\Zero G Registry
2008-02-22 00:30 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-02-22 00:30 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-02-19 23:29 --------- d-----w C:\Program Files\Mindscape
2008-02-19 12:46 --------- d-----w C:\Program Files\QuickSFV
2008-02-19 06:55 --------- d-----w C:\Documents and Settings\Scott\Application Data\Bioshock
2008-02-16 02:43 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-02-16 02:43 --------- d-----w C:\Documents and Settings\Scott\Application Data\SystemRequirementsLab
2008-02-11 21:25 56,912 ----a-w C:\Documents and Settings\Scott\g2mdlhlpx.exe
2007-09-11 11:59 22,328 ----a-w C:\Documents and Settings\Scott\Application Data\PnkBstrK.sys
2007-01-31 03:02 251 ----a-w C:\Program Files\wt3d.ini
2006-12-20 16:14 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-10-30 10:18 56 --sh--r C:\WINDOWS\system32\E6072C46B3.sys
2005-10-30 10:18 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 08:50 139264]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2005-07-07 23:55 491520]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-24 15:46 7696384]
"nwiz"="nwiz.exe" [2006-08-24 15:46 1617920 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-24 15:46 86016 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-19 02:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kHawTmLE]
kHawTmLE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-02-07 18:31 226992 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"J:\\Games\\Quake 3\\quake3.exe"=
"J:\\Games\\Area 51\\A51.exe"=
"C:\\Games\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Games\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Games\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"J:\\Program Files\\ITunes\\iTunes.exe"=
"J:\\Games\\Starcraft\\StarCraft.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Games\\Infogrames Interactive\\Civilization IV\\Civilization4.exe"=
"C:\\Games\\Infogrames Interactive\\Civilization IV\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Games\\Infogrames Interactive\\Civilization IV\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R2 PDMWorks Workgroup Server;PDMWorks Workgroup Server;"C:\Program Files\SolidWorks (2)\PDMWorks Workgroup Server\Vault\pdmwService.exe" [2007-09-09 05:48]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S4 aliasdocserver;Alias Documentation Server;"K:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "K:\Program Files\Alias\Maya6.0\docs/Wrapper.conf" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2f9e6e3-c712-11dc-9041-00123f756013}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 03:38:31 C:\WINDOWS\Tasks\dfrg.job"
- C:\WINDOWS\system32\dfrg.msc
"2007-10-27 04:12:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-10-26 22:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-25 12:09:03 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-02-17 07:01:50 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-04-15 18:14:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2008-04-15 18:21:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 23:21:06

Pre-Run: 38,128,197,632 bytes free
Post-Run: 38,000,594,944 bytes free
.
2008-04-15 15:05:40 --- E O F ---


Hack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:03 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks (2)\PDMWorks Workgroup Server\Vault\pdmwService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web

Thanks,

Scott Baugh, CSWP [pc2]
 
Upvote 0 Downvote
you need to post the whole hijakc this log!



* Copy the entire contents of the Quote Box below to Notepad.
* Name the file as CFScript.txt
* Change the Save as Type to All Files
* and Save it on the desktop


File::
C:\WINDOWS\system32\ayishxjg.dll
C:\WINDOWS\system32\nwytgoox.dll
C:\WINDOWS\BMbb516eeb.xml
C:\WINDOWS\system32\wnpdoujm.dll
C:\WINDOWS\system32\E6072C46B3.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kHawTmLE]
kHawTmLE.dll


Driver::
E6072C46B3.sys
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall



Download Superantispyware (SAS):



Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!


* Double-click SUPERAntiSypware.exe and use the default settings for
installation.
* An icon will be created on your desktop. Double-click that icon to launch
the program.
* If asked to update the program definitions, click "Yes". If not, update
the definitions before scanning by selecting "Check for Updates". (If you
encounter any problems while downloading the updates, manually download and
unzip them from here.)


* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all
others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your
computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your
computer.
* After the scan is complete, a Scan Summary box will appear with
potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware
again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.




Download AVG Anti-Spyware



* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition
files.
* On the main screen select the icon "Update" then select the "Update now"
link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the
screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select
"Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
later in safe mode.





* Click here to download ATF Cleaner by Atribune and save it to your
desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.




* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:





Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning
as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on
"Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen
and save it to a text file on your system (make sure to remember where you
saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.




* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is
found,
click the yes button when it asks you if you want to cure it. This is only a
short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the
files found: IPB Image
* If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose
save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will
be moved/deleted during reboot.




Post a new hijack this, the combo log, the super log, the dr web scan log and the AVg antispware log!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Sorry not sure what happen, but here is the rest of the hijack log.

Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O15 - Trusted Zone: O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - O20 - Winlogon Notify: kHawTmLE - kHawTmLE.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDMWorks Workgroup Server - Dassault Systemes - C:\Program Files\SolidWorks (2)\PDMWorks Workgroup Server\Vault\pdmwService.exe

--
End of file - 5500 bytes

Scott Baugh, CSWP [pc2]
 
Upvote 0 Downvote
The systems seems so much better now. I did forget to run the Combofix.exe That was the fix for the system, not to say the rest of it did not help.

Thanks for all the info on this. I would have never found the fix for this adware "HE double hockey sticks." Glad I got that behind me. I don't think a system restore would have been a good move, simply because the issue has been here for awhile I think and i never knew it. The system actually runs faster than it did in the last few months, but especially within these last few weeks. The system had gotten VERY slow.

Can you tell me what all this process fixes? Does it fix this particular issue or all recent adware problems?

Thanks so much for your help!

Scott Baugh, CSWP [pc2]
 
Upvote 0 Downvote
The fixes are to clean your computer of all the viruses you have which are quite a lot, so I urge you strongly to run all the fixes from my last post to you and post all the logs, then I can see what is left to clean!

You need to run the combo one especially as it will clean what is left and fix the registry!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News News
Audacity is Spyware?
Replies
2
Views
673
2ffat
2ffat
Olumighty
  • Locked
  • Question Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP
Replies
1
Views
550
SamBones
SamBones
shivajiboss
  • Locked
  • Question Question
I am getting a problem while opening up my windows
Replies
1
Views
705
2ffat
2ffat
Shimmy613
  • Locked
  • Question Question
Avira Free: "Your computer is not secure! A Service is not working correctly"
Replies
14
Views
1K
ChrisHirst
ChrisHirst
waikhu
  • Locked
  • Question Question
Somebody help me out, when my pc st
Replies
3
Views
400
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top