139 replies to this topic

[Neo]

Hi This is a copy of my hjt log... I have malware megabytes installed and have since tried to reinstall, but cannot get an update either way because of an unknown infection. Can u pls help me with this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:57 PM, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...arm1=seconduser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O17 - HKLM\System\CS4\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6219 bytes

[Tomk]

Hi newbe17,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

This isn't sounding malware related but lets do some checking.

Download Rooter.exe to your desktop

• Then doubleclick it to start the tool
  
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Then

Download the diagnostic tool MGADiag and save it to your desktop.

• Double-click on MGADiag.exe.
• Click Run and Run again.
• Click Continue, then Copy.
• Paste the report in your next reply.

[Neo]

Hi TomK, thank you so much for your timely effort to assist me with this problem I thought it may be helpful for you to know that I ran a couple of scans with my malware megabites program even though I couldn't update it and found a trojan horse in my host file that it was not able to fully remove. Down below is the data you requested and once again, thank you very much for your time and effort, it is greatly appreciated. Microsoft Windows XP Home Edition (5.1.2600) Service Pack 2 C:\ [Fixed] - NTFS - (Total:69648 Mo/Free:1680 Mo) D:\ [Fixed] - FAT32 - (Total:6654 Mo/Free:1480 Mo) E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo) F:\ [Removable] (Total:0 Mo/Free:0 Mo) G:\ [Removable] (Total:0 Mo/Free:0 Mo) H:\ [Removable] (Total:0 Mo/Free:0 Mo) I:\ [Removable] (Total:0 Mo/Free:0 Mo) Thu 03/12/2009| 2:37 ----------------------\\ Processes.. --Locked-- [System Process] ---------- System ---------- \SystemRoot\System32\smss.exe ---------- \??\C:\WINDOWS\system32\csrss.exe ---------- \??\C:\WINDOWS\system32\winlogon.exe ---------- C:\WINDOWS\system32\services.exe ---------- C:\WINDOWS\system32\lsass.exe ---------- C:\WINDOWS\system32\Ati2evxx.exe ---------- C:\WINDOWS\system32\svchost.exe ---------- C:\WINDOWS\system32\svchost.exe ---------- C:\WINDOWS\System32\svchost.exe ---------- C:\WINDOWS\system32\svchost.exe ---------- C:\WINDOWS\system32\svchost.exe ---------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe ---------- C:\Program Files\Alwil Software\Avast4\ashServ.exe ---------- C:\WINDOWS\system32\Ati2evxx.exe ---------- C:\WINDOWS\Explorer.EXE ---------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ---------- C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe ---------- C:\WINDOWS\system32\ctfmon.exe ---------- C:\WINDOWS\system32\spoolsv.exe ---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE ---------- C:\WINDOWS\system32\svchost.exe ---------- C:\WINDOWS\system32\wdfmgr.exe ---------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe ---------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe ---------- C:\WINDOWS\System32\alg.exe ---------- C:\WINDOWS\ALCXMNTR.EXE ---------- c:\windows\system\hpsysdrv.exe ---------- C:\Program Files\iTunes\iTunesHelper.exe ---------- C:\Program Files\iPod\bin\iPodService.exe ---------- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe ---------- C:\Program Files\Mozilla Firefox\firefox.exe ---------- C:\WINDOWS\system32\cmd.exe ---------- C:\Rooter$\RK.exe ----------------------\\ Search.. ----------------------\\ ROOTKIT !! 1 - "C:\Rooter$\Rooter_1.txt" - Thu 03/12/2009| 2:37 ----------------------\\ Scan completed at 2:37

[Neo]

Hi TomK, Ran into a bit of a problem as I was unable to connect to the microsoft site you gave to retrieve the MGADiag program. It must be because I'm using a firefox brouser and don't have internet explorer on my computer anymore. My wife has explorer on her computer. Should I try to get it from hers, copy it to a disk and download it to mine? Or do you have another solution? tyvm, newbe17

[Tomk]

newbe17,

It's not worth it at this point. I have an idea as to the infection you have. We will just skip it for now.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop as Worknow.com.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[Neo]

Hello TomK, I downloaded the Combo Fix and disabled my anti-virus program and ran it and it said that the installation had corrupt files in it, and to download it again. But since you told me not to, I didn't, so here I sit,lol. newbe17

[Tomk]

newbe17, Good call. Please drag the copy you have to recycle bin. Then go ahead and download it (being sure to rename it) and try again.

[Neo]

Dude, you rock...
That combo fix gave me back my internet explorer browser Here is the log file you requested.... tytytyty!!!

ComboFix 09-03-10.03 - Compaq_Owner 2009-03-12 13:04:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.65 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Worknow.com
AV: avast! antivirus 4.8.1229 [VPS 090308-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\windows\c.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 13:00 . 2009-03-12 13:00 <DIR> d-------- C:\32788R22FWJFW
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 23:49 . 2009-03-09 23:49 61,440 --a------ c:\windows\system32\drivers\zkfus.sys
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 07:26 --------- d-----w c:\program files\Full Tilt Poker.Net
2009-03-10 05:29 8,704 --sha-w c:\program files\Thumbs.db
2009-03-10 04:49 108 ----a-w c:\program files\lphinlz.txt
2009-03-09 21:31 4,622 ----a-w c:\program files\startuplist.txt
2009-03-09 19:25 6,211 ----a-w c:\program files\hijackthis.log
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2006-07-31 08:03 0 ----a-w c:\program files\xveiih.exe
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
2009-01-31 20:46 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-31 20:46 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-31 20:46 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-31 20:46 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-31 20:46 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-04-16 15:52 162,155 --sha-r c:\windows\system32\jfxfwse.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"= 4918:TCP:qgjprs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S2 dbthee;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]
S3 swxkwfr;swxkwfr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 wsozq;wsozq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dbthee

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
TCP: {0064A5F4-20F9-40DD-8516-C7C7B21E6882} = 207.65.4.25 216.153.94.101
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 13:05:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swxkwfr]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wsozq]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]
"ServiceDll"="c:\windows\system32\jfxfwse.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-12 13:08:43
ComboFix-quarantined-files.txt 2009-03-12 18:08:39

Pre-Run: 66,108,514,304 bytes free
Post-Run: 66,138,992,640 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=,1,2,3,4,5
109 --- E O F --- 2008-06-13 23:12:36

[Neo]

TomK, It also removed malware megabites I'm guessing it was also infected and that it why it was removed... Do i need to redownload malware megabites? Thanks loads, newbe17

[Neo]

TomK, It also removed malware megabites I'm guessing it was also infected and that it why it was removed... Do i need to redownload malware megabites? Thanks loads, newbe17

[Tomk]

newbe17,

Please uninstall Full Tilt poker. It comes bundled with malware. Reference
You can do this by going to your control panel then add/remove programs and uninstall the program.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

c:\program files\xveiih.exe <===this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  c:\program files\lphinlz.txt
  c:\windows\system32\jfxfwse.dll
  c:\windows\system32\01.tmp
  
  Registry::
  [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swxkwfr]
  [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wsozq]
  [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]
  
  Driver::
  swxkwfr
  wsozq

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then lets re-install malwarebytes and run it.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

[Neo]

Tom,
The page for http://virusscan.jotti.org would not display on my browser. I tried reaching it with internet explorer and internet explorer wouldn't even open up.

newbe17

[Neo]

TomK, Howdy Just a quick question 4 u. I uninstalled full tilt poker and all of it's components just as you asked me to, but would like to know if pokerstars comes bundled with malware as well because my wife and I would like to be able to play on the site together .

[Tomk]

newbe17,

I would have reccomended you unistall pokerstars also. reference
I'm really not familiar with any of them but I've heard that pogo.com is clean.

If you can't get to Jotti, then try one of these:

http://www.kaspersky...anforvirus.html
http://www.virustota.../en/indexf.html

[Neo]

TomK,
How R ya today? Fine, I hope I couldnt get to the 3 sites including the jatti, so i did a search and found the file u wanted me to scan singularly and scanned it with Malwarebytes and it came up clean. I also did the quickscan u requested and found the same trojan agent in the same place , C:\WINDOWS\hosts. Is it ok to remove Worknow.com from my pc now that we are finished using it? Down below are the logs you have requested of me, I hope you can make something out of them Oh yes, and one more thing... The computer - whenever I reboot brings up doss, acts as if its crashed unexpectedly all though I don't recall it ever doing that , and gives me 3 or 4 options of how to start windows... I have chosen to start windows regularly, and it works, but I haven't a clue of why I get that every time I reboot And its lagging the same as it always has.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/13/2009 10:57:18 AM
mbam-log-2009-03-13 (10-57-18).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
that was a scan of the single file u wanted....next will b the quickscan :

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/13/2009 1:09:32 AM
mbam-log-2009-03-13 (01-09-32).txt

Scan type: Quick Scan
Objects scanned: 55355
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\hosts (Trojan.Agent) -> Delete on reboot. ( I doubt if it worked- would u like me to scan again with malwarebytes to see if it finds it again? )

Here is the new hjt log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:14 AM, on 3/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4354 bytes