The combofix entries you talk about are all part of
http://research.sunbelt-software.com/threatdisplay.aspx?threatid=123565
Remove HijackThis entries
- Run HijackThis
- Click on the System Scan Only button
- Put a check beside all of the items listed below (if present):
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O2 - BHO: (no name) - {3437F77C-C103-47BF-BF1D-7EAFC400BE8F} - (no file)
O3 - Toolbar: (no name) - {5CFAD498-79F2-4A82-91A3-4BADDE0281B1} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
- Close all open windows and browsers/email, etc...
- Click on the "Fix Checked" button
- When completed, close the application.
--------------------------------------------------------------------------------------------------------
Show hidden files through windows explorer
- Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
- On the Tools menu in Windows Explorer, click Folder Options.
- Click the View tab.
- Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.
Now go to Start -> Search -> All Files and folder -> search for:
fmsxwqs.exe
etlrlws.dll
altvxvm.dll
bokpkov.dll
If any are found let me know, we will remove in the next step
Also let me know if purposely downloaded this movie C:\SPONGEBOB_SQUAREPANTS_ATLANTIS.ISO
--------------------------------------------------------------------------------------------------------
Lets add those sites to the blocked list.
Open Internet Explorer
click tools -> internet options.
Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.
Then, click the privacy tab and click the sites button. In the address bar type
-any website that has been popping up
-and
www.cpvfeed.com
Click ok, then ok again and close IE. reboot your system.
--------------------------------------------------------------------------------------------------------
Manually Clear Cache:
- Open an Explorer folder window (for example, double-click My Computer).
- From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
- Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
- IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
- You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
- If desired, reset the folder options you changed in step 1.
----------------------------------------------------------------------------------------------------------
Generate Uninstall List
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
***Attach this notepad file in your reply along with a fresh Hijackthis scan after completing the above.***