WiredWX Hobby Weather ToolsLog in

 


Trojan horse SHeur2.CFJO

2 posters

descriptionTrojan horse SHeur2.CFJO EmptyTrojan horse SHeur2.CFJO

more_horiz
My AVG picked this up earlier and I've been getting audio ads running in the background, with or without a browser running. Also google links seem to redirect me to a site named 7ball which also redirects me to random search sites. Please help. Here's the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:48 AM, on 1/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: absoƖute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\User\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: absoƖute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\User\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 8613 bytes

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Please download Cheetah-Anti-Rogue, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Cheetah Anti-Rogue v1.0.26
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Sun 01/10/2010 14:49:29.47


-- Known infection --



Extra message: Detection only.


EOF

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Also just encountered this problem.

"Internet Explorer has encountered a problem with an add-on and needs to close.

The following add-on was running when this problem occurred:

Add-on Name: Flash10b.ocx
Company Name: Adobe Systems Incorporated
Description: Adobe Flash Player"

Not sure if this is related.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Trojan horse SHeur2.CFJO Mbamicontw5 Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
MalwareBytes will not open when I double click it. I already have it installed on my machine. I don't get an error message and I see the process mbam.exe running in the processes tab. I also see a lot of dwwin.exe processes running that I don't recognize. Should I try to restart in safe mode?

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
  1. As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: Malwarebytes' RANDOM - EXE Download

    When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
  2. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Did this and got this error:

An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.

Error code: 730 (0, 0)

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    winlogon.exe
    comres.dll
    crypt32.dll
    gpedit.dll
    rundll32.exe
    sfc.dll
    svchost.exe
    cngaudit.dll
    beep.sys
    wscntfy.exe
    atapi.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
SystemLook v1.0 by jpshortstuff (10.01.10)
Log created at 23:35 on 10/01/2010 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [04:20 04/12/2008] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [21:20 11/10/2009] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [10:30 27/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll ------ 181248 bytes [12:00 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [04:20 04/12/2008] [12:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [21:20 11/10/2009] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [10:29 27/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [12:00 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [04:20 04/12/2008] [12:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 56320 bytes [21:20 11/10/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [10:28 27/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll ------ 56320 bytes [12:00 04/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "winlogon.exe"
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c 502272 bytes [04:20 04/12/2008] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 507904 bytes [21:20 11/10/2009] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------ 507904 bytes [10:30 27/08/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe ------ 507904 bytes [12:00 04/08/2004] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

Searching for "comres.dll"
C:\WINDOWS\$NtServicePackUninstall$\comres.dll -----c 792064 bytes [04:21 04/12/2008] [12:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\ServicePackFiles\i386\comres.dll ------ 792064 bytes [10:28 27/08/2008] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D
C:\WINDOWS\system32\comres.dll --a--- 792064 bytes [12:00 04/08/2004] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D

Searching for "crypt32.dll"
C:\WINDOWS\$NtServicePackUninstall$\crypt32.dll -----c 597504 bytes [04:21 04/12/2008] [12:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\ServicePackFiles\i386\crypt32.dll ------ 599040 bytes [10:28 27/08/2008] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\crypt32.dll --a--- 599040 bytes [12:00 04/08/2004] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77

Searching for "gpedit.dll"
No files found.

Searching for "rundll32.exe"
C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe -----c 33280 bytes [04:20 04/12/2008] [12:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe ------ 33280 bytes [10:30 27/08/2008] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\rundll32.exe --a--- 33280 bytes [12:00 04/08/2004] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6

Searching for "sfc.dll"
C:\WINDOWS\$NtServicePackUninstall$\sfc.dll -----c 5120 bytes [04:20 04/12/2008] [12:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 5120 bytes [21:20 11/10/2009] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\ServicePackFiles\i386\sfc.dll ------ 5120 bytes [10:30 27/08/2008] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\sfc.dll ------ 5120 bytes [12:00 04/08/2004] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3

Searching for "svchost.exe"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c 14336 bytes [04:20 04/12/2008] [12:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [21:20 11/10/2009] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------ 14336 bytes [10:30 27/08/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe ------ 14336 bytes [12:00 04/08/2004] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 4224 bytes [21:20 11/10/2009] [12:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--c 4224 bytes [12:00 04/08/2004] [12:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys ------ 4224 bytes [12:00 04/08/2004] [12:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\WINDOWS\$NtServicePackUninstall$\wscntfy.exe -----c 13824 bytes [04:21 04/12/2008] [12:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a--- 13824 bytes [21:20 11/10/2009] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\ServicePackFiles\i386\wscntfy.exe ------ 13824 bytes [10:30 27/08/2008] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [12:00 04/08/2004] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [04:20 04/12/2008] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [10:27 27/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--- 95360 bytes [20:51 11/08/2007] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000004

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this: Trojan horse SHeur2.CFJO Reg
Double click on fix.reg & allow it to merge into the registry

Then try to run Malwarebytes again.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Did this and it still won't let me run Malwarebytes from mbam.exe. I get the same error when I try to run it from the random file extention.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Please download RootRepeal from GooglePages.com.

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    Trojan horse SHeur2.CFJO Nclahc

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    Trojan horse SHeur2.CFJO 2j5lb6
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/11 19:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED6CC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8E18000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTevpwmyxilr.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys
Address: 0xED8ED000 Size: 118784 File Visible: - Signed: -
Status: hȋdden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF8A94000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTdqvspxownr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtshsyst.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTubpetyxtvn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTugavbwwbpq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTvnvjbivbyp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTwlnsdpqxmk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\H8SRT6e60.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\H8SRT7420.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\H8SRT7922.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\temp\H8SRT40d5.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\user@forums.rotoworld[1].txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\user@forums.rotoworld[1].txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\av-15327[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\av-16805[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JET28O22\av-6843[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JET28O22\c=153%7Crand=224096364%7Cpv=y%7Cint=rotoworld%20%7Crt=ifr[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JET28O22\roto_mbrd;!category=roto;!category=noopapd;site=roto;sect=mbrd;dcopt=ist;sz=728x90;pos=1;tile=1;ord=99155[1]
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\LUI84A7O\r[9].js
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: services.exe (PID: 768) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: lsass.exe (PID: 780) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: Ati2evxx.exe (PID: 944) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: svchost.exe (PID: 960) Address: 0x008a0000 Size: 36864

Object: hȋdden Module [Name: H8SRTwlnsdpqxmk.dll]
Process: svchost.exe (PID: 960) Address: 0x00940000 Size: 65536

Object: hȋdden Module [Name: H8SRTubpetyxtvn.dll]
Process: svchost.exe (PID: 960) Address: 0x00cb0000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1084) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1180) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1496) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: Explorer.EXE (PID: 1544) Address: 0x00c40000 Size: 36864

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: Explorer.EXE (PID: 1544) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1620) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AAWService.exe (PID: 1856) Address: 0x00a10000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: ctfmon.exe (PID: 1932) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: spoolsv.exe (PID: 1972) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1508) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AppleMobileDeviceService.exe (PID: 1576) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: jqs.exe (PID: 168) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: pg_ctl.exe (PID: 1896) Address: 0x00b60000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: HPZipm12.exe (PID: 332) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: SMAgent.exe (PID: 428) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 464) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: TomTomHOMEService.exe (PID: 484) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1264) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1536) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1424) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1660) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1684) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: unsecapp.exe (PID: 224) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: alg.exe (PID: 2056) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: wmiprvse.exe (PID: 2152) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: SynTPEnh.exe (PID: 2436) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: SMax4PNP.exe (PID: 2464) Address: 0x00bc0000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AGRSMMSG.exe (PID: 2676) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: HPWuSchd2.exe (PID: 2876) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AAWTray.exe (PID: 2940) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: avgtray.exe (PID: 2952) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: jusched.exe (PID: 3016) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: GoogleToolbarNotifier.exe (PID: 3064) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: TomTomHOMERunner.exe (PID: 3072) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: wuauclt.exe (PID: 3152) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRT7922.tmpbwwbpq.dll]
Process: iexplore.exe (PID: 3892) Address: 0x00d70000 Size: 151552

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: iexplore.exe (PID: 3892) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: gtb6.tmp.exe (PID: 472) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTugavbwwbpq.dll]
Process: iexplore.exe (PID: 840) Address: 0x00d70000 Size: 151552

Object: hȋdden Module [Name: H8SRTubpetyxtvn.dll]
Process: iexplore.exe (PID: 840) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3232) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3084) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2872) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3520) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3112) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1456) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3212) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 260) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3392) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3496) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2852) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4072) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3100) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2700) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2388) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3276) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1052) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2956) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2112) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3740) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2828) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 644) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1412) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1524) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2548) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1984) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1388) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2500) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 836) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 972) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: RootRepeal.exe (PID: 1376) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3216) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3008) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2976) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3264) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4436) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4644) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5144) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5328) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5732) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5980) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1420) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4260) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4468) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4884) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTugavbwwbpq.dll]
Process: Iexplore.exe (PID: 4712) Address: 0x00d70000 Size: 151552

Object: hȋdden Module [Name: H8SRTubpetyxtvn.dll]
Process: Iexplore.exe (PID: 4712) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4768) Address: 0x10000000 Size: 36864

hȋdden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys

==EOF==

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
Pretty bad rootkit infection there.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

==

Please open SystemLook.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    *H8SRT*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Post both the SystemLook and ComboFix logs, please.

descriptionTrojan horse SHeur2.CFJO EmptyRe: Trojan horse SHeur2.CFJO

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum