Hi, someone clicked on something they should not have, and then meekly asked me if I could fix their computer..
Getting a lot of pop-ups asking to install various security and spyware apps.
I'm gratefully (and meekly) asking if you could assist me.
Have cleaned with SpyBot S&D, NOD32, ComboFix, VUndoFix, HiJackThis, and it seems to be corrected.
Can you see anything left that I missed?
TIA,
ballooshi
VundoFix Log:
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 2:21:44 PM 12/3/2007
Listing files found while scanning....
C:\windows\system32\rywxljgt.dll
C:\windows\system32\yqssvusa.dll
Beginning removal...
Attempting to delete C:\windows\system32\rywxljgt.dll
C:\windows\system32\rywxljgt.dll Has been deleted!
Attempting to delete C:\windows\system32\yqssvusa.dll
C:\windows\system32\yqssvusa.dll Has been deleted!
Performing Repairs to the registry.
Done!
ComboFix Log:
ComboFix 07-12-02.7 - MBuncayo 2007-12-03 15:48:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.212 [GMT -5:00]
Running from: C:\Documents and Settings\MBuncayo\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\MBuncayo\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\MBuncayo\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\MBuncayo\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\MBuncayo\Favorites\Online Security Guide.lnk
C:\Documents and Settings\MBuncayo\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\MBuncayo\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\MBuncayo\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\MBuncayo\Start Menu\Programs\Outerinfo
C:\Documents and Settings\MBuncayo\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\MBuncayo\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1.net\?icrosoft.NET\
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive8.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\ttx.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\sembly~1
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\pmnkhij.dll
C:\WINDOWS\system32\rywxljgt.dllbox
C:\WINDOWS\system32\syycvbuk.dll
C:\WINDOWS\system32\wnstsicomsv32.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.
2007-12-03 14:39 . 2007-12-03 14:38 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-12-03 14:39 . 2007-12-03 14:38 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-12-03 14:39 . 2007-12-03 14:38 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-12-03 14:21 . 2007-12-03 15:20 <DIR> d-------- C:\VundoFix Backups
2007-12-03 14:15 . 2007-12-03 14:15 176 --a------ C:\WINDOWS\wininit.ini
2007-12-03 13:38 . 2007-12-03 15:03 <DIR> d-------- C:\HiJackThis
2007-12-03 12:24 . 2007-12-03 14:45 794,160 --ahs---- C:\WINDOWS\system32\egsxjwwp.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 19:38 --------- d-----w C:\Program Files\Symantec
2007-12-03 19:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-03 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-03 11:46 --------- d-----w C:\Documents and Settings\MBuncayo\Application Data\U3
2007-11-01 22:22 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 18:28 --------- d-----w C:\Program Files\MSECache
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDD9AE44-6FFC-3B21-DE58-38E676F00FE4}]
C:\WINDOWS\system32\kmfmarxi.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-21 10:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07]
"Otos"="C:\PROGRA~1\COMMON~1\ICROSO~1.NET\notepad.exe" []
"Ips"="C:\WINDOWS\??sembly\?explore.exe" []
"QdrModule10"="C:\Program Files\QdrModule\QdrModule10.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 12:43]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe" [2005-01-26 18:02]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30]
"50f9963d"="C:\WINDOWS\system32\pwwjxsge.dll" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-03 14:38]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Intellimenus"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkjj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
2004-11-22 17:20 1126400 --a------ C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys
R1 UdfReadr;UdfReadr;C:\WINDOWS\system32\drivers\UdfReadr.sys
R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bbc12e4-a184-11db-8d2d-000874f17fc1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3e07824-9741-11db-8d1e-000874f17fc1}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 21:04:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 16:06:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-03 16:07:56 - machine was rebooted
.
--- E O F ---
HJT Log, after VundoFix and ComboFix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:58 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://st25.startlogic.com:8080/webmail/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Otos] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ips] C:\WINDOWS\??sembly\?explore.exe
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Mahjong Escape\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Mahjong Escape\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCE02B2D-5D6A-48D5-826F-8A820C3CF4C1}: NameServer = 10.0.0.10,66.0.175.146,66.0.144.30
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 5662 bytes
Full Version: Security SpyWare Pop-Ups
First:
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Press the 'Scan' button and when done check the following items in HijackThis:
O4 - HKCU\..\Run: [Otos] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ips] C:\WINDOWS\??sembly\?explore.exe
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\PROGRA~1\COMMON~1\ICROSO~1.NET\ <--delete entire folder,
C:\WINDOWS\??sembly\ <--delete entire folder,
C:\Program Files\QdrModule\ <--delete entire folder,
*How to Boot into Safe mode:
http://www.computerhope.com/issues/chsafe.htm
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode
Run HiJackThis again and post a new log in this thread. (Be sure that Word Wrap is turned off in Notepad)
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
File::
C:\WINDOWS\system32\egsxjwwp.ini
C:\WINDOWS\system32\kmfmarxi.dl
C:\WINDOWS\system32\jkkjj.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDD9AE44-6FFC-3B21-DE58-38E676F00FE4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"50f9963d"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
C:\WINDOWS\system32\egsxjwwp.ini
C:\WINDOWS\system32\kmfmarxi.dl
C:\WINDOWS\system32\jkkjj.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDD9AE44-6FFC-3B21-DE58-38E676F00FE4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"50f9963d"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Press the 'Scan' button and when done check the following items in HijackThis:
O4 - HKCU\..\Run: [Otos] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ips] C:\WINDOWS\??sembly\?explore.exe
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\PROGRA~1\COMMON~1\ICROSO~1.NET\ <--delete entire folder,
C:\WINDOWS\??sembly\ <--delete entire folder,
C:\Program Files\QdrModule\ <--delete entire folder,
*How to Boot into Safe mode:
http://www.computerhope.com/issues/chsafe.htm
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode
Run HiJackThis again and post a new log in this thread. (Be sure that Word Wrap is turned off in Notepad)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.