Hi,
Howard doesn't seem to be around, in the meanwhile allow me to help you.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
winbo32
Comp store copy sign
FireDaemon Service: smss
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
eqsave.exe
winbo32.exe
mssvchost.exe
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Comp store copy sign] C:\Documents and Settings\All Users\Application Data\Creativehopecompstore\eqsave.exe
O4 - HKLM\..\Run: [winbo32] winbo32.exe
O4 - HKLM\..\RunServices: [winbo32] winbo32.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe
Close HJT.
Navigate in Windows Explorer and delete the following
files and
folders in
bold.
C:\WINDOWS\system32\
TWUNK_32.EXE
C:\WINDOWS\system32\
TWUNK_16.EXE
C:\WINDOWS\system32\
TWAIN_32.DLL
c:\Windows\system32\
Dap\
C:\Documents and Settings\All Users\Application Data\
Creativehopecompstore\
Also search your system for all instances of
winbo32.exe and delete them. Let me know the filepath(s) where they reside.
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.
Regards,
Your friendly momok =)
This thread is for the use of whiteraven only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.