Page 2 of 8 FirstFirst 123456 ... LastLast
Results 11 to 20 of 76

Thread: NEED HELP ASAP, keep getting popups etc, this damn ware sucks..

  1. #11
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Vundo appears gone from your log , are you still getting popups??

    Heres the scoop on Paltalk, its your option to remove it or not.
    http://www.superadblocker.com/definition/palstart/
    C:\Program Files\Paltalk Messenger <-- you can uninstall it via the Add Remove Programs in the Control Panel.


    Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
    O4 - Startup: TA_Start.lnk = ?
    O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm



    • Your Java is out of date and leaving your system vulnerable.
    • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
    • It should have an icon next to it:

      Select it and click Remove.
    • Reboot your system.
    • Then go to the Sun Microsystems and install the update
    • Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
    • If you chose the online installation, it will prompt you to run the program.
    • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
    • Then after install you can verify your installation here Sun Java Verify
    I like to to do the offline installation and save the setup file in case I may need it in the future

    Were you able to run Combofix?? The rest of your log looks fine.

  2. #12
    Member
    Join Date
    Sep 2007
    Posts
    67

    Default

    Thanks so much for all your help, no popups so far
    just ran combo fix, while running norton said it found a virus something windows/154.exe then 157 etc but said deleted them

    heres combo log, will post new hjt log next

    ComboFix 07-09-21.2 - "Owner" 2007-09-23 22:59:06.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.183 [GMT -7:00]
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\1.exe
    C:\check_LSA7.txt
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
    C:\DOCUME~1\DEFAUL~1\err.log
    C:\DOCUME~1\Owner\APPLIC~1\STEM~1
    C:\DOCUME~1\Owner\APPLIC~1\WinTouch
    C:\DOCUME~1\Owner\APPLIC~1\WinTouch\wintouch.cfg
    C:\DOCUME~1\Owner\err.log
    C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1
    C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1\n?pdb.exe
    C:\Program Files\icroso~1
    C:\Program Files\icroso~1\?icrosoft\
    C:\Program Files\inetget2
    C:\Program Files\Insider
    C:\Program Files\Insider\Insider.exe
    C:\Program Files\Insider\UnInstall.exe
    C:\Program Files\ISM
    C:\Program Files\ISM\srvupd.exe
    C:\Program Files\ISM\targets.gz
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\web buying
    C:\Program Files\web buying\v1.8.3\wbuninst.exe
    C:\Program Files\WinAble
    C:\Program Files\WinAble\UnInstall.exe
    C:\sstray.exe
    C:\svhost.exe
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\fse
    C:\Temp\fse\tmpZTF.log
    C:\tskmgr.exe
    C:\WINDOWS\1.exe
    C:\WINDOWS\b122.exe
    C:\WINDOWS\b143.exe
    C:\WINDOWS\b147.exe
    C:\WINDOWS\b148.exe
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\IA
    D:\Autorun.inf
    f:\autorun.inf . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
    .

    2007-09-23 17:54 <DIR> d-------- C:\Program Files\SymNetDrv
    2007-09-23 17:36 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
    2007-09-23 17:36 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
    2007-09-23 17:34 32,256 --a--c--- C:\WINDOWS\system32\dllcache\msgsvc.dll
    2007-09-23 17:34 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
    2007-09-23 17:20 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\UserData
    2007-09-23 17:20 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Shared
    2007-09-23 17:20 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Incomplete
    2007-09-23 17:20 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Contacts
    2007-09-23 15:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-09-22 20:49 <DIR> d-------- C:\WINDOWS\provisioning
    2007-09-22 20:49 <DIR> d-------- C:\WINDOWS\peernet
    2007-09-22 20:46 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2007-09-22 20:35 <DIR> d-------- C:\WINDOWS\EHome
    2007-09-22 14:20 <DIR> d-------- C:\Program Files\Trend Micro
    2007-09-21 22:52 <DIR> d-------- C:\Program Files\Yahoo!
    2007-09-21 22:51 <DIR> d-------- C:\Program Files\CCleaner
    2007-09-21 22:37 <DIR> d-------- C:\VundoFix Backups
    2007-09-20 09:13 425,480 --a------ C:\sysowyo.exe
    2007-09-20 09:13 425,480 --a------ C:\sysnkqy.exe
    2007-09-20 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-09-20 01:07 425,480 --a------ C:\sysydta.exe
    2007-09-19 19:15 <DIR> d-------- C:\Program Files\McAfee.com
    2007-09-19 19:14 <DIR> d-------- C:\Program Files\McAfee
    2007-09-19 19:14 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2007-09-19 18:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
    2007-09-19 18:40 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-09-19 18:10 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-09-19 18:10 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Tools
    2007-09-19 16:46 425,480 --a------ C:\sysysnk.exe
    2007-09-19 16:46 425,480 --a------ C:\sysgqfg.exe
    2007-09-19 15:33 <DIR> d-------- C:\Program Files\Lavasoft
    2007-09-19 15:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-09-18 06:20 281 --a------ C:\ernmwr3w.exe
    2007-09-15 18:23 <DIR> d-------- C:\WINDOWS\uzzf
    2007-09-15 18:23 <DIR> d-------- C:\Program Files\Common Files\uzzf
    2007-09-13 10:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-09-23 17:54 --------- d-------- C:\Program Files\Symantec
    2007-09-23 17:53 --------- d-------- C:\Program Files\Common Files\Symantec Shared
    2007-09-23 17:36 3994 -rahs---- C:\WINDOWS\system32\drivers\HP_DT158A-ABA A445C_YC_Pavi_QMXR419_E41NAheBLU4_4_IKamet2_SASUSTek Computer INC._V2.01_B3.07_T040119_WXH1_L409_M448_J160_7AMD_8Athlon XP 3000+_92.16_111063044_N11063065_P_Z11C1044C_K_A11063059_U11063038_G11067205_O_DILO5611.MRK
    2007-09-22 23:28 --------- d-------- C:\Program Files\MSN Messenger
    2007-09-22 13:54 --------- d-------- C:\Program Files\Kasamba
    2007-09-19 15:32 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-09-15 20:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
    2007-09-14 11:10 10 --a------ C:\Program Files\.autoreg
    2007-08-07 19:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
    2007-07-26 20:53 --------- d-------- C:\Program Files\Common Files\SWF Studio
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "@"="" []
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07]
    "CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 21:58]
    "AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 19:19]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42]
    "VTTimer"="VTTimer.exe" [2003-05-07 23:32 C:\WINDOWS\system32\VTTimer.exe]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57]
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 00:59]
    "LTMSG"="LTMSG.exe" [2003-07-14 17:52 C:\WINDOWS\ltmsg.exe]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11]
    "Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 18:13]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-09-23 17:54]
    "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-07 21:42]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RecordNow!"="" []
    "NVIEW"="nview.dll,nViewLoadHook" []
    "BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 21:25]

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40]

    C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
    Connect Kasamba.lnk - C:\Program Files\Kasamba\Kasamba.exe [2007-08-23 13:43:45]
    PowerReg Scheduler V3.exe [2007-02-02 01:50:24]

    S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\System32\DRIVERS\nvcap.sys
    S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\System32\DRIVERS\NVxbar.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-20 02:16:44 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    "2007-09-20 02:16:43 C:\WINDOWS\Tasks\McQcTask.job"
    "2007-09-24 00:51:31 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
    - c:\PROGRA~1\NORTON~1\Navw32.exe
    "2007-09-24 00:51:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-23 23:03:16
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-09-23 23:06:05 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-09-23 23:05
    .
    --- E O F ---

  3. #13
    Member
    Join Date
    Sep 2007
    Posts
    67

    Default

    heres HJT log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:09:13 PM, on 9/23/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Kasamba\Kasamba.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
    O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
    O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
    O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    --
    End of file - 6166 bytes

  4. #14
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,
    .
    Remove this with HJT.
    O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')


    C:\Program Files\Kasamba Is this a program that you use??


    We need to make sure all hidden files are showing :
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide file extensions for known types option.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.

    Combofix picked up a few files that I am unsure of, what I would like you to do is upload them to this site for analysis and post the reports


    Go to Jotti Upload and under the browse feature,
    browse to these files

    C:\sysowyo.exe
    C:\sysgqfg.exe
    C:\sysysnk.exe
    C:\sysgqfg.exe
    C:\ernmwr3w.exe


    Then click on upload and it will give you a report, post the report in your next reply.

  5. #15
    Member
    Join Date
    Sep 2007
    Posts
    67

    Default

    ok I did everything, yes kasamba is a prog I use its safe but when trying the jotti upload i click on anyone of the sys****.exe and get a message from norton saying its a trojan and cannot be repaired, it wont let me upload it and I tried deleted them and says access denied :(

  6. #16
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    We can and will delete them once we know for sure that there bad, when they won't Google there almost 100% bad, but lets try this before we remove them.

    Right click on Norton in the system tray ( by the clock ) and either shut it down or disable it, it will be enabled the next time you reboot. Then try the Jotti upload again.

  7. #17
    Member
    Join Date
    Sep 2007
    Posts
    67

    Default

    ok, I tried with norton disabled and get this message from jotti

    The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

  8. #18
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Ok, then lets do this.

    First look for the files manually yourself, I may seem overcautious but we don't want to remove any files that may be needed by one of your programs. When you find the files, right click on them and go to properties and it will give you info on that file, let me know what they are related to. Just do the top 2 as they all seem related and where created on the same date.

    C:\ernmwr3w.exe
    C:\sysowyo.exe
    C:\sysgqfg.exe
    C:\sysysnk.exe

  9. #19
    Member
    Join Date
    Sep 2007
    Posts
    67

    Default

    Under type of file it just says Application

  10. #20
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Lets do this.

    Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad

    File::
    C:\ernmwr3w.exe
    C:\sysowyo.exe
    C:\sysgqfg.exe
    C:\sysysnk.exe

    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.





    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
    together with a new HijackThis log.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •