Read other posts from folks with the same problem. However messages to other posters told where to d/load combofix but not the other item HJT. I have got the report from combofix. Where to go now
Yuo can get HJT from here. Run it, post your logs. you can attach them by using the additional options button on the reply page. Someone will check them.
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
unable to stay on line for long sinse using combofix keep geting switched off with Generic32 system error notices
here’s log after using hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:54, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alun\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 “EPSON Stylus DX4800 Series” /O6 “USB001” /M “Stylus DX4800”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{A6DF5206-9CB0-4AFF-A84E-06BA04A13E30}: NameServer = 212.139.132.38 212.139.132.39
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
–
End of file - 5436 bytes
first time to use forum. sorry posted the reports in wrong place
Didn’t see your post.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File:: C:\WINDOWS\system32\Drivers\dhlp.sys C:\WINDOWS\mrofinu572.exe.tmpFolder::
C:\Documents and Settings\All Users\Application Data\SalesMon
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new hjt log.
done as instructed, both logs attatched. many txs, more?
Havin a look now. Be back later.
I’ve got a foot of snow to move, I’ll get bak to this in aa soon as I can.
Do this and let me know how things are at that end.
Please download The Avenger by Swandog46 to your Desktop.
1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
[QUOTE]Drivers to unload:
dhlp
Files to delete:
C:\WINDOWS\system32\Drivers\dhlp.sys
[/quote]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Copy/Paste [b]all[b] the text in the above quote box into this window by
[*] MAKE SURE THE TEXT MATCHES EXACTLY
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply [b]
best of luck with the snow havnt seen any this year! i understand your instruction re avenger etc, but just above the link for avenger you posted 2 lines without instruction, ’ do this and let me know’ I know I’ve got termites between the hears but do what with it. gratful
I’ll leave you to clear your snow and thank you for all your effort until 2morow. Its grennich meantime where I live and time to hit the sack, until 2morow
Many thanks speak with you later
Sorry, errant lines from my canned instructions. 
I use them as a “fill”. I removed them froom the post.
Please submit these files for analysis
To submit a file to virustoal, please click om this link
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\WINDOWS\system32\msxml3a.dll
scroll down a bit and click “send file”, wait for the results and post then in your next reply.
good morning, submitted files for analysis has insructed and attatched results. Have not used avenger yet
File msxml3a.dll received on 01.20.2008 10:11:29 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.20 -
Authentium 4.93.8 2008.01.20 -
Avast 4.7.1098.0 2008.01.20 -
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.20 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.20 -
F-Prot 4.4.2.54 2008.01.19 -
F-Secure 6.70.13260.0 2008.01.19 -
Ikarus T3.1.1.20 2008.01.20 -
Kaspersky 7.0.0.125 2008.01.20 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2807 2008.01.19 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.19 -
Prevx1 V2 2008.01.20 -
Rising 20.27.61.00 2008.01.20 -
Sophos 4.24.0 2008.01.20 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.20 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.20 -
Webwasher-Gateway 6.6.2 2008.01.20 -
Additional information
File size: 24064 bytes
MD5: 718d1c9346a991ee101f2dfa72a50d70
SHA1: 7fea804959602826358911e286ce47a9f08cff48
PEiD: -
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
Okay, it’s one of the good guys.
And good morning to you. for me it’s past my bedtime. I’ll check on this in the morning (my morning).
The avenger should be the last, then we can clean up the tools.
Hi
Could I please have the Avenger results? Just want to make sure the driver was unloaded.
This is the clean up routine we will use, if the driver is gone.
1.Click start button, click run, copy and paste the line below into the box, click ok
combofix /u
2.Please download the OTMoveIt by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
Then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
3.Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
Remove old restore points
4.Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
5.Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.
If you are using windows firewall. Please note it doesn’t provide outbound protection. A third party firewall will.
A discussion on free firewalls can be found here.
Dare I say good morning!! Avengr report below. It might be note worthy to mention that I have not seen anything of the trojan sinse we done the first combofix & HJT reports. The only prob I have got sinse is two messages:- Generic Host proceedure for Win32 services, must close down etc and 'svchost.exe-Application error 'followed by a series of numbers, both of which will switch you off the net if you acknowledge them.
avenger report
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pwnkskls
Script file located at: ??\C:\Documents and Settings\wetxmtgw.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Driver dhlp unloaded successfully.
File C:\WINDOWS\system32\Drivers\dhlp.sys not found!
Deletion of file C:\WINDOWS\system32\Drivers\dhlp.sys failed!
Could not process line:
C:\WINDOWS\system32\Drivers\dhlp.sys
Status: 0xc0000034
Completed script processing.
Finished! Terminate.
Can you post the exact error, including the numbers up in the errors?
We’ll have a look.
When did they start?
If you can post the exact error message(s), then boot into safe mode and back to normal windows, see if that helps.