Hi
For some reason I don't believe that it's clean though scanners claim otherwise. But we'll see.
Try to find also this file -> C:\WINDOWS\system32\ctfmon.exe and scan it in jotti/virustotal
Open notepad and copy/paste the text in the quotebox below into it:
Code:
File::
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\jkkjk.VIR002
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\jkkjk.VIR001
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\jkkjk.VIR000
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\jkkjk.VIR
C:\WINDOWS\system32\RCX2D.tmp
Driver::
MicrosoftCOMSysApp
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkklmj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmxw32]
winmxw32.dll
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.