WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Logfile of HijackThis. Infected with BlackWorm & other

Started by devotion , Mar 09 2006 10:26 AM

This topic is locked

79 replies to this topic

#16 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 March 2006 - 06:18 PM

If Spysweeper complains, let the fix procede.

Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\e8jmli1118.dll]

On the desktop, doubleclick fix.reg and allow it to run. Let it merge.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\e8jmli1118.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete these Files if listed:

C:\WINNT\system32\e8jmli1118.dll

Empty Recycle Bin

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Advertisements

Register to Remove

#17 devotion

Authentic Member

Authentic Member
43 posts

Posted 10 March 2006 - 06:50 PM

Computer still slow... but start-up is fine everything appears. Internet launch always starts with a BlackWorm warning then prompts to download software I X the box and X the popup then am able to go to mail. So far no other popups.

The file did not go to Recycle Bin.
Restart computer, new log follows:

Logfile of HijackThis v1.99.1
Scan saved at 6:37:12 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wupnp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\r86u0ij9e8o.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcmsvc) - Unknown owner - C:\WINNT\system32\rpcmsvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe

#18 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 March 2006 - 07:00 PM

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINNT\system32\r86u0ij9e8o.dll

Do the same for this one:
C:\WINNT\system32\wupnp.exe

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, proceed to Scan.
and put a check by these.

O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\r86u0ij9e8o.dll

O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#19 devotion

Authentic Member

Authentic Member
43 posts

Posted 10 March 2006 - 07:36 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:27:09 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\p2r4lc9q1f.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcmsvc) - Unknown owner - C:\WINNT\system32\rpcmsvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

#20 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 March 2006 - 07:48 PM

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find Windows UPnP Service (wupnp)

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Do the same for this one:
Windows Remote Procedure Call Monitoring Service (rpcmsvc)

The service is now stopped and disabled.

Click Start-> Run and type cmd in the Open: line. Click OK.
* Type or paste in the following in bold: sc delete wupnp
* Hit Enter
* Type: Exit
* Hit Enter

Click Start-> Run and type cmd in the Open: line. Click OK.
* Type or paste in the following in bold: sc delete rpcmsvc
* Hit Enter
* Type: Exit
* Hit Enter

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINNT\system32\p2r4lc9q1f.dll

Do the same for these:
C:\WINNT\system32\wupnp.exe
C:\WINNT\system32\rpcmsvc.exe

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, proceed to Scan.
and put a check by these.

O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\p2r4lc9q1f.dll

O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcmsvc) - Unknown owner - C:\WINNT\system32\rpcmsvc.exe

O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#21 devotion

Authentic Member

Authentic Member
43 posts

Posted 10 March 2006 - 08:24 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:14:45 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\mvr4l99q1.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#22 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 March 2006 - 08:28 PM

Down to just one location now.

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINNT\system32\mvr4l99q1.dll

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, proceed to Scan.
and put a check by these.

O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\mvr4l99q1.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#23 devotion

Authentic Member

Authentic Member
43 posts

Posted 10 March 2006 - 08:59 PM

LDTate,
Follows is last log for HJT. I have to go but will check for your reply later (about 11:00). Know you will likely be gone by then so THANKS So much for your help today. Catch you later.

Logfile of HijackThis v1.99.1
Scan saved at 8:47:19 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Reinstall - C:\WINNT\system32\gp0ul3d91.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#24 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 March 2006 - 09:01 PM

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINNT\system32\gp0ul3d91.dll

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, proceed to Scan.
and put a check by these.

O20 - Winlogon Notify: Reinstall - C:\WINNT\system32\gp0ul3d91.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#25 devotion

Authentic Member

Authentic Member
43 posts

Posted 10 March 2006 - 11:26 PM

New log
When connecting to internet the spy communication shield has blocked access to www.ad-ware.com. This continues to appear in lower right hand side.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:28 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Applets - C:\WINNT\system32\o484lelq1hqe.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Advertisements

Register to Remove

#26 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 07:11 AM

Then download this program.

http://downloads.sub.../DllCompare.exe

Select Save and save it to your Desktop.

Open the program and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.

Post the dll compare log to this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#27 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 07:30 AM

Hi LDTate, Log follows, still have that error box popping up everytime I load and try to run a new program, however this one ignored the message without me doing anything and ran as you wanted. So I clicked on Ignore to make it go away. * DLLCompare Log version(1.0.0.127) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINNT\SYSTEM32\fp8u03~1.dll Fri Mar 10 2006 11:12:14p ..S.R 233,739 228.26 K C:\WINNT\SYSTEM32\gpjsl3~1.dll Fri Mar 10 2006 11:44:18p ..S.R 237,105 231.55 K C:\WINNT\SYSTEM32\pkdgen.dll Fri Mar 10 2006 1:27:32p ..S.R 235,706 230.18 K C:\WINNT\SYSTEM32\ssim.dll Sat Mar 11 2006 7:11:28a ..S.R 233,739 228.26 K ________________________________________________ 1,044 items found: 1,044 files (4 H/S), 0 directories. Total of file sizes: 190,225,812 bytes 181.41 M Administrator Account = True --------------------End log---------------------

#28 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 07:34 AM

Download Pocket Killbox version 2.0.0.175
http://www.atribune....ads/KillBox.exe
If you already have Killbox first ensure it is this version !.

Then double-click on the killbox.exe program.

Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINNT\SYSTEM32\fp8u03~1.dll
C:\WINNT\SYSTEM32\gpjsl3~1.dll
C:\WINNT\SYSTEM32\pkdgen.dll
C:\WINNT\SYSTEM32\ssim.dll
C:\WINNT\system32\o484lelq1hqe.dll
C:\WINNT\SYSTEM32\guard.tmp

Return to Killbox, go to the File menu and select Paste from Clipboard.

Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

Open the program and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.

Post the dll compare log to this thread.
Also a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#29 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 08:02 AM

* DLLCompare Log version(1.0.0.127) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINNT\SYSTEM32\jmbexec.dll Sat Mar 11 2006 7:46:10a ..S.R 233,739 228.26 K C:\WINNT\SYSTEM32\ssim.dll Sat Mar 11 2006 7:11:28a ..S.R 233,739 228.26 K ________________________________________________ 1,042 items found: 1,042 files (2 H/S), 0 directories. Total of file sizes: 189,753,001 bytes 180.96 M Administrator Account = True --------------------End log---------------------

#30 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 08:05 AM

Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINNT\SYSTEM32\jmbexec.dll
C:\WINNT\SYSTEM32\ssim.dll

Return to Killbox, go to the File menu and select Paste from Clipboard.

Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

Open the program and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.

Post the dll compare log to this thread.
Also a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme