Windows cannot find jkhhf.exe

Greetings ( 1st post ),

At start up I am getting the above message along with (my words) "unable to find the file this refers to, amend or delete".

This hardly surprises me as McAfee removed this file yesterday as it contains a virus called Win32\Trats. Where do I need to go to disable or remove the file it is pointing to to stop this windows pop up warning / how do I go about it ?

Files involved C:\Windows\system32\jkhhf.exe and C:\WINDOWS\WIN.INI plus a few in %system32%

TIA Elmer

Go-to Run> Then type msconfig and hit enter.

Untick that line from startup entries.

Apply and reboot.

Cheers Mr. H,

Done and dusted, I know my way round a PC (with instruction of course!) a little bit, but I always forget where I have seen something before !

Thanks. Elmer

No problem, you're welcome.

If you would like to remove this malicious .exe from the computer completely then we will need to see a HJT log.

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename.
  • Type in sniper.exe and press Enter.
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HiackThis.
• If using Windows Vista, be sure to Run As Administrator
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the log in your post.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Even though we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

First log off Hijack this, I reinstalled (patched) McAfee not long before this to see if I could get Site Advisor to work to no avail. I thought with the help of Vundofix used this a.m. I'd got rid of it, obviously not !!
Anyway, Log :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:01:58, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AdAware07\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\slserv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhf.exe
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk = C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199998689015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200699420078
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: cbxyaaw - cbxyaaw.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0010821200782168) (0010821200782168mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Kev\LOCALS~1\Temp\001082~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\AdAware07\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 7299 bytes



Elmer

There are some suspicious entries in the log. Lets run a more thorough tool.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

IMPORTANT - Combofix.exe MUST be saved to your your Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc)
• Close/disable all anti virus and anti malware programs so they do not interfere with Combofix. <-- IMPORTANT
  • Click on this link to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Do not mouseclick combofix's window while it's running.
The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.


---------------

Next post please add
Combofix log

This is the log I think !! (Went to make a coffee !) from Combo fix. I disabled everything I could so the net and McAfee didn't re-start after re-boot. If I did that wrong I will redo it. The BIG red letters worry me.



ComboFix 08-01-20.1 - Kev 2008-01-20 1:18:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.167 [GMT 0:00]
Running from: C:\Documents and Settings\Kev\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.
2008-01-20 01:02 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-19 23:58 . 2008-01-19 23:58 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-19 23:52 . 2008-01-19 23:52 812,344 --a--c--- C:\Program Files\HJTInstall.exe
2008-01-19 22:50 . 2008-01-19 22:50 <DIR> d----c--- C:\WINDOWS\Open RegEdit
2008-01-19 18:00 . 2008-01-19 19:35 <DIR> d----c--- C:\VundoFix Backups
2008-01-19 16:27 . 2008-01-19 17:51 <DIR> d----c--- C:\Program Files\PrevxCSI
2008-01-19 16:19 . 2008-01-19 16:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-19 16:18 . 2008-01-19 16:20 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\PrevxCSI
2008-01-19 14:23 . 2008-01-19 14:23 <DIR> d----c--- C:\Program Files\StartupRun
2008-01-19 14:23 . 2008-01-19 14:23 39,424 --a--c--- C:\WINDOWS\zipinst.exe
2008-01-19 14:22 . 2008-01-19 15:55 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\wsInspector
2008-01-19 14:16 . 2008-01-19 15:56 <DIR> d----c--- C:\Program Files\Startup Inspector
2008-01-19 12:40 . 2008-01-19 14:07 <DIR> d----c--- C:\Program Files\AdAware07
2008-01-19 12:25 . 2008-01-19 12:25 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-19 11:48 . 2008-01-19 12:40 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-19 09:30 . 2007-07-30 19:19 271,224 --a--c--- C:\WINDOWS\system32\mucltui.dll
2008-01-19 09:30 . 2007-07-30 19:19 30,072 --a--c--- C:\WINDOWS\system32\mucltui.dll.mui
2008-01-19 01:53 . 2007-01-18 12:00 3,968 --a--c--- C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-18 23:20 . 2005-09-18 02:32 5,376 --a--c--- C:\WINDOWS\system32\antiwpa.dll
2008-01-18 16:20 . 2008-01-18 16:20 <DIR> d----c--- C:\Program Files\uTorrent
2008-01-18 16:19 . 2008-01-19 22:13 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\uTorrent
2008-01-18 15:54 . 2008-01-20 01:16 11,387 --a--c--- C:\WINDOWS\system32\Config.MPF
2008-01-18 15:52 . 2008-01-19 22:44 <DIR> d----c--- C:\Program Files\SiteAdvisor
2008-01-18 15:52 . 2008-01-19 00:13 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-18 15:52 . 2008-01-19 02:56 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\SiteAdvisor
2008-01-18 15:51 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-18 15:47 . 2007-07-21 09:08 201,288 --a--c--- C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-18 15:47 . 2007-07-13 09:20 113,952 --a--c--- C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-18 15:47 . 2007-07-24 07:40 79,304 --a--c--- C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-18 15:47 . 2007-07-21 09:08 40,488 --a--c--- C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-18 15:47 . 2007-07-21 09:08 35,240 --a--c--- C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-18 15:47 . 2007-07-24 12:02 33,800 --a--c--- C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-18 15:45 . 2008-01-18 15:46 <DIR> d----c--- C:\Program Files\McAfee.com
2008-01-18 15:45 . 2008-01-18 15:47 <DIR> d----c--- C:\Program Files\Common Files\McAfee
2008-01-18 15:44 . 2008-01-20 01:09 <DIR> d----c--- C:\Program Files\McAfee
2008-01-18 10:09 . 2008-01-18 10:09 <DIR> d----c--- C:\Program Files\AWicons Lite
2008-01-17 23:21 . 2008-01-17 23:21 499,712 --a--c--- C:\WINDOWS\system32\msvcp71.dll
2008-01-17 23:21 . 2008-01-17 23:21 348,160 --a--c--- C:\WINDOWS\system32\msvcr71.dll
2008-01-17 22:43 . 2008-01-17 23:09 <DIR> d----c--- C:\WINDOWS\SxsCaPendDel
2008-01-17 16:30 . 2004-08-12 14:05 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-01-17 16:30 . 2004-08-12 14:05 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2008-01-17 16:29 . 2004-08-12 13:58 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2008-01-17 16:29 . 2004-08-12 13:58 35,328 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll
2008-01-17 03:49 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-17 03:14 . 2008-01-17 03:14 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-17 03:08 . 2008-01-17 03:08 <DIR> d----c--- C:\WINDOWS\Sun
2008-01-17 03:07 . 2007-09-24 23:31 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl
2008-01-17 03:06 . 2008-01-17 03:07 <DIR> d----c--- C:\Program Files\Java
2008-01-17 01:54 . 2008-01-18 12:46 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\BitTorrent
2008-01-17 01:21 . 2008-01-17 01:21 <DIR> d----c--- C:\Program Files\Glary Utilities
2008-01-17 00:26 . 2008-01-17 00:26 <DIR> d----c--- C:\Program Files\PDFCreator Toolbar
2008-01-17 00:26 . 2008-01-17 00:26 253,116 --a--c--- C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_6796.exe
2008-01-17 00:25 . 2008-01-17 00:27 <DIR> d----c--- C:\Program Files\PDFCreator
2008-01-16 22:47 . 2008-01-16 22:47 <DIR> d----c--- C:\Program Files\RedFox
2008-01-15 18:28 . 2008-01-15 18:29 <DIR> d----c--- C:\WINDOWS\system32\NtmsData
2008-01-15 00:34 . 2008-01-15 00:34 <DIR> d----c--- C:\Program Files\Common Files\Java
2008-01-14 15:56 . 2008-01-19 22:17 <DIR> d----c--- C:\Program Files\ieSpell
2008-01-13 22:47 . 2005-10-15 12:32 196,608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2008-01-13 22:47 . 1998-06-24 00:00 137,000 --a--c--- C:\WINDOWS\system32\MSMAPI32.OCX
2008-01-13 22:47 . 1998-07-06 00:00 23,552 --a--c--- C:\WINDOWS\system32\MSMPIDE.DLL
2008-01-13 20:58 . 2008-01-16 22:46 <DIR> d----c--- C:\Program Files\doPDF5
2008-01-13 20:58 . 2007-12-20 11:57 21,656 --a------ C:\WINDOWS\system32\dopdfmn5.dll
2008-01-13 20:58 . 2007-12-20 11:57 17,560 --a--c--- C:\WINDOWS\system32\dopdfmi5.dll
2008-01-13 20:58 . 2007-11-20 11:15 5,269 --a--c--- C:\WINDOWS\system32\dopdf5.ctm
2008-01-13 19:25 . 2008-01-16 22:46 <DIR> d----c--- C:\Program Files\IEPro
2008-01-13 17:40 . 2004-01-10 20:56 122,880 --a--c--- C:\WINDOWS\system32\pdfmont.dll
2008-01-13 16:45 . 2008-01-13 16:45 246,788 --a--c--- C:\WINDOWS\system32\SSPDFD
2008-01-13 12:32 . 2006-10-05 02:42 2,560 --a--c--- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-13 12:32 . 2006-10-05 02:42 2,432 --a--c--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-13 12:31 . 2008-01-16 22:46 <DIR> d----c--- C:\Program Files\Picasa2
2008-01-13 08:44 . 2008-01-13 08:44 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-13 03:52 . 2008-01-16 22:47 <DIR> d----c--- C:\Program Files\PC Magazine Utilities
2008-01-13 03:37 . 2008-01-13 09:36 <DIR> d----c--- C:\WINDOWS\cache
2008-01-13 03:37 . 2008-01-14 03:31 <DIR> d----c--- C:\Program Files\Yahoo!
2008-01-13 02:12 . 2008-01-13 02:12 9,632 --a--c--- C:\Documents and Settings\Kev\Application Data\GDIPFONTCACHEV1.DAT
2008-01-13 00:40 . 2008-01-15 13:54 <DIR> dr---c--- C:\Program Files\CookiesManagerE
2008-01-12 21:57 . 2003-06-25 16:05 266,360 --a--c--- C:\WINDOWS\system32\TweakUI.exe
2008-01-12 20:14 . 2004-08-12 14:10 221,184 --a--c--- C:\WINDOWS\system32\wmpns.dll
2008-01-12 17:35 . 2005-06-28 10:21 22,752 --a--c--- C:\WINDOWS\system32\spupdsvc.exe
2008-01-12 15:04 . 2008-01-13 21:43 376 --a--c--- C:\WINDOWS\ODBC.INI
2008-01-12 15:03 . 2008-01-16 22:47 <DIR> d----c--- C:\Program Files\Microsoft ActiveSync
2008-01-12 13:55 . 2008-01-16 22:46 <DIR> d----c--- C:\Program Files\TalkTalk
2008-01-12 00:22 . 2008-01-12 00:22 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-01-11 17:28 . 2008-01-11 17:28 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\Talkback
2008-01-11 15:36 . 2008-01-11 15:36 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\McAfee
2008-01-11 15:28 . 2008-01-13 18:45 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\IEPro
2008-01-11 12:57 . 2008-01-11 12:57 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\ieSpell
2008-01-11 10:27 . 2008-01-11 10:27 <DIR> d----c--- C:\Documents and Settings\Kev\Application Data\GlarySoft
2008-01-11 09:59 . 2008-01-11 14:09 7,168 --ahsc--- C:\WINDOWS\Thumbs.db
2008-01-11 03:46 . 2008-01-11 16:20 <DIR> d----c--- C:\WINDOWS\ShellNew
2008-01-11 02:24 . 2008-01-18 17:40 <DIR> d----c--- C:\WINDOWS\system32\URTTemp
2008-01-11 00:15 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-11 00:15 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-10 22:06 . 2008-01-12 20:21 <DIR> d--h-c--- C:\WINDOWS\$hf_mig$
2008-01-10 20:59 . 2007-07-30 19:19 43,352 --a--c--- C:\WINDOWS\system32\wups2.dll
2008-01-10 20:59 . 2007-07-30 19:18 34,136 --a--c--- C:\WINDOWS\system32\wucltui.dll.mui
2008-01-10 20:59 . 2007-07-30 19:19 25,944 --a--c--- C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-10 20:59 . 2007-07-30 19:19 25,944 --a--c--- C:\WINDOWS\system32\wuapi.dll.mui
2008-01-10 20:59 . 2007-07-30 19:18 20,312 --a--c--- C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 20:48 . 2008-01-10 20:48 <DIR> d--hsc--- C:\Documents and Settings\Kev\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-19 12:47 12,632 -c--a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-16 22:47 --------- dc----w C:\Program Files\microsoft frontpage
2008-01-10 17:22 408,064 -c--a-r C:\WINDOWS\system32\drivers\CPTWGU.sys
2008-01-10 17:22 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-01-10 17:14 --------- dc-h--w C:\Program Files\Uninstall Information
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-01-19 18:39 582992]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk - C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe [2006-06-09 16:57:50 466944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2005-09-18 02:32 5376 C:\WINDOWS\system32\antiwpa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyaaw]
cbxyaaw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
S3 CPTWGU(TalkTalk);TalkTalk SNU5630NS/05 Wireless USB Adapter(TalkTalk);C:\WINDOWS\system32\DRIVERS\CPTW GU.sys [2008-01-10 17:22]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-12 14:06]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-12 14:06]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-12 14:06]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-12 14:06]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 01:00:00 C:\WINDOWS\Tasks\A2E24FAE9149C84A.job"
- c:\docume~1\kev\applic~1\shimdale\GlueNounFree.exe
"2008-01-18 15:46:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-18 15:46:26 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 01:20:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2008-01-20 1:21:36
ComboFix-quarantined-files.txt 2008-01-20 01:21:18
.
2008-01-19 09:49:45 --- E O F ---

It is actually VERY common. While I am looking over the log go HERE to see the tutorial on how to install the Recovery Console.

I am concerned over this entry C:\WINDOWS\system32\antiwpa.dll <<Do you know what it is?

No I don't, it's an old computer given to me recently by someone I used to work with. Memory is only 20GB total, shows how old it is ! Used by his son, I've cleared a load of crap out over the last few weeks but can't get round this.

You have a virus that is very new. It takes legit .exe files and modifies them. We will do this process but sometimes it takes multiple passes to get them all.



Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Copy the quoted text below by highlighting all the text and pressing Ctrl+C

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Run a new Hijackthis scan and post the log.

----------

Next post
Combofix log
New Hijackthis log