Hi,
Your system is most definitely not clean yet. Please do the following.
You may wish to copy and paste these instructions on notepad for easier reference later.
Download the attached "
Combofix-Do.txt" (
from my attachment) and save it to the same folder as Combofix.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
DirectX Service
Creative Service for CDROM Access
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {90F75E47-94D2-48AC-8D32-863356FA6578} - C:\WINDOWS\SYSTEM32\urqqnnk.dll
O2 - BHO: (no name) - {EF0EE45B-EB21-4B8F-A4C1-101628FFFC30} - C:\WINDOWS\system32\jkhhg.dll
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range:
http://10.0.0.2
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: urqqnnk - C:\WINDOWS\SYSTEM32\urqqnnk.dll
O23 - Service: Creative Service for CDROM Access - Unknown owner - (no file)
O23 - Service: DirectX Service (DirectSang) - Unknown owner - (no file)
Close HJT.
Drag the
Combofix-Do.txt that you downloaded earlier over on to
Combofix.exe and release.
This will ask Combofix to execute the instructions within my file.
Let Combofix run normally and do its job. Attach the resultant log in your reply.
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.
Regards,
Your friendly momok =)
This thread is for the use of dkaox only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.