Hi Mic, thanks for your patience ![:)]()
AndyManchesta: I followed your instructions (
here). I did a scan with HJT (now it works again after I used LinkOptFix), and tried to look for what www.hijackthis.de would say. They didn't really find something bad (except one or two items, that I removed),
These auto analysis sites are really no use at all these days, there's far too many infections around that do not show any signs in HijackThis so although its probably ok to give them a try as part of a clean up process it would be dangerous to believe that the system is clean based on their results. There's infections that add rootkit components so their entries will not show in logs, infections that use Microsoft company details in their service files so HijackThis regards them as safe and doesnt list them, infections that hide all entries for certain area's such as winlogon and BHO entries so HijackThis doesnt show them and infections that run from area's that HijackThis doesn't check such as the Installed Components key so I wouldnt recommend using the auto analysis sites if anyone feels they have been infected.
Do you know what entries they suggested you remove ?
If your not sure it should show on the backups area (Start HijackThis > Click open the Misc tools section > Click Backups) then briefly type what they contain so I can make sure they needed to be removed.
We will be repeating alot of the steps you noticed in Leluc's post now as its the same infection.
Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\com3.rjy
C:\WINDOWS\EXPLORER(2).EXE
C:\WINDOWS\GPInstall.exe
C:\WINDOWS\system32\CSRSS(3).EXE
C:\WINDOWS\system32\CTFMON(2).EXE
C:\WINDOWS\system32\LSASS(3).EXE
C:\WINDOWS\system32\SPOOLSV(2).EXE
C:\WINDOWS\system32\SVCHOST(3).EXE
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please then visit the below link
http://www.bleepingcomputer.com/submit-mal....php?channel=27
In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File
Once it shows
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
You can then close the Bleeping Computer window and continue with the steps below
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the c:\gromozon_removal.log into your next reply,
Goto Start > Run > copy and paste
cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt
Press OK and post the contents of the C:\user.txt file back on here
Goto Start > Run > copy and paste
cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt
Press OK and post the contents of the C:\regresult.txt back
Finally download GetServices from HERE
Extract the zip file then open the getservice folder and double click getservice.bat, when it is completed a notepad will open with a lot of information. please attach that into your next post
Please copy/paste or attach the logs into your next reply together with a new HijackThis log
Let us know if you have any problems
Andy