Posts by swatkat

Hi,
Log looks clean :) Good to hear that the PC is working fine. By the way, please download and install the latest Java Runtime from here --> http://www.java.com/en/download/manual.jsp . Older Java Runtime had some exploits which were used by malware to infect the PC.

Hi,

Log's looking good. There's one more thing to remove now! Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter key.

Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\rtreubqn.dll",setvm

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

Exit from HijackThis. Delete this file:-
C:\WINDOWS\system32\rtreubqn.dll

Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Reboot to Normal Mode. Rename HijackThis executable to something else (like Xyz.exe) and run it. Click Do a System scan and save log, and post the fresh log.

Hi,
Please download VirtumundoBeGone.exe:
1. Save it to your Desktop.
2. Locate and double-click VirtumundoBeGone.exe to run it.
3. Follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
4. When finished it will create a log named vbg.txt on your desktop.
5. Reboot your PC.

Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: (no name) - {232200B3-9D33-4908-8862-BD3DD8F8804B} - C:\WINDOWS\system32\jkkkk.dll (file missing)
O2 - BHO: (no name) - {483CC496-D041-4545-8D9E-2D64294F97B2} - C:\WINDOWS\system32\efcabxx.dll
O2 - BHO: (no name) - {60630D22-A84A-4B1F-8524-4C2E45B38C2F} - C:\WINDOWS\system32\rqopp.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\estqkduh.dll (file missing)
O2 - BHO: (no name) - {899AD04A-C96E-4378-BFE6-2B2B158DD643} - C:\WINDOWS\system32\ljhhi.dll (file missing)
O2 - BHO: (no name) - {C7F0B604-357D-45F6-A9B1-9D47FCC161AF} - C:\WINDOWS\system32\rqopp.dll (file missing)
O2 - BHO: XBTBPos00 Class - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O20 - Winlogon Notify: efcabxx - C:\WINDOWS\SYSTEM32\efcabxx.dll
O20 - Winlogon Notify: winfja32 - winfja32.dll (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Please also download catchme.exe to your desktop from the following link:
CATCHME

• Double click the catchme.exe to run it
• Open catchme.log to see results and post its contents in a reply along with vbg.txt and a fresh …

Hi,
It's the nasty Vundo adware! We will now remove it for good! Please download
VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files,
  click YES
• Once you click yes, your desktop will go blank as it starts removing
  Vundo.
• When completed, it will prompt that it will shutdown your computer,
  click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new
  HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for

Vundo button." when VundoFix appears at reboot.

Hi,
There are still some malware that needs to cleaned! Download and install AVG Anti-Spyware v7.5
(This is Ewido 4.0 renamed. If you already have Ewido installed, please update to AVG Anti-Spyware which has a special "clean driver" for removing persistent malware.)

• After download, double click on the file to launch the install process.
• Choose a language, click "OK" and then click "Next".
• Read the "License Agreement" and click "I Agree".
• Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
• After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
• The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling it's active protection features until your system is clean, then you can reenable them.
• Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
• Go to Start > Run and type: services.msc
• Press "OK".
• Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
• When you find the guard service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Manual".
• Now click "Apply", then "OK" and close the Services window.
• Connect to the Internet, go back to AVG Anti-Spyware, …

Hi,
Download KillBox, extract it to your desktop.
Open Killbox.exe. Check the following box:-
Delete on Reboot

Highlight/select all the filenames given in the quote box below and then Copy them:

C:\WINDOWS\system32\hfttkyed.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\winfja32.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\aqfcqnaq.exe
C:\WINDOWS\system32\shjkaecg.dll
C:\Documents and Settings\Kyle Zhang\Local Settings\Temporary Internet Files\Content.IE5\EUMAZSZ5\Search[1].htm
C:\Documents and Settings\Lawrence Zhang\Local Settings\Temporary Internet Files\Content.IE5\ADAPU5GN\50982_spoent-lb120x320[1].swf
C:\Documents and Settings\Lawrence Zhang\Local Settings\Temporary Internet Files\Content.IE5\WHY38TU3\65654_120x120_newny[1].swf
C:\Documents and Settings\Lawrence Zhang\Local Settings\Temporary Internet Files\Content.IE5\WHY38TU3\ah[1].js
C:\Documents and Settings\Lawrence Zhang\Local Settings\Temporary Internet Files\Content.IE5\ZQQBBUH0\roll[1].swf

Then in Killbox click "File Menu" > "Paste from Clipboard". At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? You will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

[If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.]

…

Hi,
Download CCleaner and install it. Do not run it now!

Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\myabaotc.dll",setvm
O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab

Close all other open …

Hi,
Sorry for my late reply. I recently shifted to a new city, and it took some time to get the Internet connection.

Please run HijackThis and click "Open Misc Tools Section". Next, click "Open Uninstall Manager". Here, click "Save List" button and file will be saved under the name uninstall_list.txt. Please open this file and copy its contents and post it here.

Are you using a firewall? If not, then download and install the free ZoneAlarm firewall.

Can you post back what things are detected SpyBot S&D?

Hi,

Kaspersky log looks clean, except these malware files in the System Restore folders. These are the backups of the files taken by the Windows System Restore feature. These files do not pose any threat in their current state, but if the system is restore to a previous state these files are restoreed back to their original location.

C:\System Volume Information\_restore{947FDCFA-B5F8-4611-A7D5-74ABEED1086F}\RP4\A0000165.exe Infected: Trojan-Downloader.Win32.PurityScan.bj skipped
C:\System Volume Information\_restore{947FDCFA-B5F8-4611-A7D5-74ABEED1086F}\RP4\A0000480.exe Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{947FDCFA-B5F8-4611-A7D5-74ABEED1086F}\RP5\A0001542.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{947FDCFA-B5F8-4611-A7D5-74ABEED1086F}\RP6\A0002689.exe/stream Infected: Trojan-Downloader.NSIS.Agent.u skipped

If you are not getting any popups and if the system is running fine, you can delete the System Restore Points. Disabling and enabling the System Restore feature will delete the Restore Points. This page shows how to do it.

Can you please post back some of the file and folder names of MS Office? Did you installed it (or removed it) previously?

You can remove the stray Registry entries and broken shortcuts of applications like Office using CCleaner. Run CCleaner and click "Issues" button in the left pane. Then click "Scan for Issues" button. If it finds any stray Registry entries, it will list them. Now, click "Fix Selected Issues". It prompts to backup the entries that are being removed, here click "Yes" and click "Save" when it displays the file saving dialog box. Finally, click "Fix All Selected Issues" to remove the stray entries.

Hi,

Open a new file in NotePad and copy the contents of the below "Quote" box to NotePad:-

Windows Registry Editor Version 5.00

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"WinUpdate.exe"=-

Now, in NotePad, go to File Menu > Save AS and type the filename as Fix.REG and save the file. Close NotePad.

Double-click on Fix.REG file and click "Yes" to merge the file to Registry.

Also, download SpywareBlaster and install it. Next, run it and enable all the protection. After this, close the SpywareBlaster.

Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan and please post back the same.

Did you reinstall the HP software or tried the Windows Installer Cleanup Utility?

Hi,
Do you have HP Director/Digital Imaging Monitor/PhotoSmart software installed in the PC? TrayApp and Fax are related to any of these HP hardware/software. If you have the CD, then please insert the CD and restart the system. The installer will automatically reinstall the corrupt software. Actually, these HP software seems to have some incompatibility issues with some Registry cleaners (like System Mechanic). Probably these Registry cleaners remove the Registry entry of the HP software, and hence the installer "thinks" that the software is remvoed/corrupted.

If you don't have the HP software in your PC, then please download Windows Installer CleanUp Utility and install it. When you run the program, it will show a list of software installed using the Windows Installer program. Here, if you find the "TrayApp", "Fax" or "Unload", select it and click "Remove". It removes the Installer configuration files of the specified software.

I will analyze the SilentRunners log and post the reply. By the way, which software picks up the Downloader.NSIS.Agent.U? And, where are these infected files located?

Hi,

Sorry, it took me long time to reply. I wasn't able to come offline yesterday. By the way, the log looks clean :) Is the PC running fine?

Hi,
Download CCleaner and install it. Do not run it now!

Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Uninstall this Software from Add/Remove Programs in Control Panel, if found:-
Need2Find
WurldMedia
GAIN
Gator
Altnet
RXToolBar

Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

O2 - BHO: TChkBHO Class - {34D06734-3CFF-43CD-B10A-465E8C184CFE} - C:\WINDOWS\system32\wqdla.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\RunOnce: [Need2FindBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Exit from HijackThis. Delete these files:-
C:\WINDOWS\system32\moconfig.exe (do NOT delete the legitimate file msconfig.exe!)
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll
C:\Program Files\Uninstall Need2Find Bar.dll
C:\Program …

Hi,
Look2Me's gone! Log looks clean :D Please post back if you still get any popups or have any problems with the PC.

Hi,
Ok, most of the "bad" files are gone. Please download L2M9XFix and extract it to a folder. Now, inside this extracted folder, there will be a file named RunThis.bat. Double-click on this file. A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

Hi,
Those files are still there! Now, we have to remove them manually! Open a new file in NotePad and copy the contents of the below "Quote" box to NotePad:-

cd\
cd WINDOWS
cd SYSTEM
attrib -s -r -h MKJET35.DLL
del MKJET35.DLL
attrib -s -r -h SOUB32.DLL
del SOUB32.DLL
attrib -s -r -h MBEXCH40.DLL
del MBEXCH40.DLL
attrib -s -r -h AYIPITA.DLL
del AYIPITA.DLL
attrib -s -r -h OUEDLG.DLL
del OUEDLG.DLL
attrib -s -r -h PGNMAP.DLL
del PGNMAP.DLL
attrib -s -r -h SMLFX.DLL
del SMLFX.DLL
attrib -s -r -h MPCMS.DLL
del MPCMS.DLL
attrib -s -r -h RAANP.DLL
del RAANP.DLL
attrib -s -r -h IUROP.DLL
del IUROP.DLL
attrib -s -r -h IKNPSTUB.DLL
del IKNPSTUB.DLL
attrib -s -r -h JYEG1X32.DLL
del JYEG1X32.DLL
attrib -s -r -h CDGMGR32.DLL
del CDGMGR32.DLL
attrib -s -r -h EOAPI162.DLL
del EOAPI162.DLL
attrib -s -r -h IZ50_QCX.DLL
del IZ50_QCX.DLL
attrib -s -r -h JNBEXEC.DLL
del JNBEXEC.DLL
attrib -s -r -h 58ba5roi.ini
del 58ba5roi.ini
attrib -s -r -h ecs0f2l3.ini
del ecs0f2l3.ini
attrib -s -r -h ne372aqv.ini
del ne372aqv.ini
attrib -s -r -h CZL3D32.DLL
del CZL3D32.DLL
attrib -s -r -h btackbox.dll
del btackbox.dll
attrib -s -r -h EYUSBIN.DLL
del EYUSBIN.DLL
attrib -s -r -h prwave.dll
del prwave.dll
attrib -s -r -h …

Hi,
The Look2Me DLLs are still there. Please download Kill2Me and extract it to a folder. Next run Kill2Me.exe and follow the onscreen prompts.

After this, download VX2Finder9X and run it. Next click the "Click to Find VX2.BetterInternet" button. VX2Finder9X will scan the system and if it finds any bad files, it will list them. If it finds any file, copy the list and please post back here.

Also, run CCleaner and click "Run Cleaner" button to delete all the temp files. After you delete the temp files, run WinPFind and please post a new log.

Download KillBox, extract it to your desktop.

Run KillBox.exe and check the following box:-
Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\SYSTEM\MKJET35.DLL
C:\WINDOWS\SYSTEM\SOUB32.DLL
C:\WINDOWS\SYSTEM\MBEXCH40.DLL
C:\WINDOWS\SYSTEM\AYIPITA.DLL
C:\WINDOWS\SYSTEM\OUEDLG.DLL
C:\WINDOWS\SYSTEM\PGNMAP.DLL
C:\WINDOWS\SYSTEM\SMLFX.DLL
C:\WINDOWS\SYSTEM\MPCMS.DLL
C:\WINDOWS\SYSTEM\RAANP.DLL
C:\WINDOWS\SYSTEM\IUROP.DLL
C:\WINDOWS\SYSTEM\IKNPSTUB.DLL
C:\WINDOWS\SYSTEM\JYEG1X32.DLL
C:\WINDOWS\SYSTEM\CDGMGR32.DLL
C:\WINDOWS\SYSTEM\EOAPI162.DLL
C:\WINDOWS\SYSTEM\IZ50_QCX.DLL
C:\WINDOWS\SYSTEM\JNBEXEC.DLL
C:\WINDOWS\SYSTEM\58ba5roi.ini
C:\WINDOWS\SYSTEM\ecs0f2l3.ini
C:\WINDOWS\SYSTEM\ne372aqv.ini
C:\WINDOWS\SYSTEM\CZL3D32.DLL
C:\WINDOWS\SYSTEM\btackbox.dll
C:\WINDOWS\SYSTEM\EYUSBIN.DLL
C:\WINDOWS\SYSTEM\prwave.dll
C:\WINDOWS\SYSTEM\whspdmoe.dll
C:\WINDOWS\SYSTEM\jzsh400.dll
C:\WINDOWS\SYSTEM\jfdw400.dll
C:\WINDOWS\SYSTEM\phwave.dll
C:\WINDOWS\SYSTEM\wfspdmoe.dll
C:\WINDOWS\SYSTEM\pygfilt.dll
C:\WINDOWS\SYSTEM\RAR20.DLL
C:\WINDOWS\SYSTEM\CFPMAN.DLL
C:\WINDOWS\SYSTEM\SZSCLASS.DLL
C:\WINDOWS\SYSTEM\FW20.DLL
C:\WINDOWS\SYSTEM\pidrv.dll
C:\WINDOWS\SYSTEM\MTCPXL32.DLL
C:\WINDOWS\SYSTEM\MNCDevice.dll
C:\WINDOWS\SYSTEM\SOUDF.DLL
C:\WINDOWS\SYSTEM\wtpui.dll
C:\WINDOWS\SYSTEM\mnoeacct.dll
C:\WINDOWS\SYSTEM\CEYPTNET.DLL
C:\WINDOWS\SYSTEM\SONCUI.DLL
C:\WINDOWS\SYSTEM\DOUSIC32.DLL
C:\WINDOWS\SYSTEM\wdpshell.dll
C:\WINDOWS\SYSTEM\OPEDLG.DLL
C:\WINDOWS\SYSTEM\DZ32GT.DLL
C:\WINDOWS\SYSTEM\FIWPP.DLL
C:\WINDOWS\SYSTEM\JNBEXEC.DLL
C:\WINDOWS\SYSTEM\mqihnd.dll
C:\WINDOWS\SYSTEM\QRARTZ.DLL
C:\WINDOWS\SYSTEM\pwdrv.dll

Then in Killbox click File > Paste from Clipboard. At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? You will need to click "Yes" to allow the reboot.

Note: When you choose "Paste From Clipboard", KillBox will show all the file names inside the "Full Path of the file to delet" text box, and the titlebar of KillBox will show the number of files. Killbox will let you know if a file does not exist.

…

Hi,
Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.

Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

===========================================

Next, download Silent Runners.zip. Extract it to your desktop. Double click on silentrunners.vbs. Let the tool to complete it's work. Silent Runners will create a log in the same folder where it's located and its named like Startup Programs *****.txt, where ***** part indicates the computer name and date of the scan. Post the contents of this Startup Programs*****.txt file along with the BlackLight log.

Note: If you …

Hi,
Glad to hear it! SpySweeper has found some really tough baddies! Have you downloaded the Hosts file and placed it in the required folder? Please post back if you get any popups.

Hi,
Ok. Also, download the Hosts file from here. Put it in the C:\WINNT\SYSTEM32\DRIVERS\ETC folder.

Hi,
Please download the 2-week trial version of WebRoot SpySweeper from HERE.
Alternate download site.
Alternate download site.
Alternate download site.

• Click on Free Spy Scan.
• On the next page, click on Start Scan Now
• Save the Setup file to your Desktop>click OK.
• Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
• You will be prompted to check for updated definitions, please do so.
• Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
• Check "Local Disc C" and under "What to Sweep", check every box.
• Click on "Sweep" and allow it to fully scan your system.
• When the sweep has finished, click "Remove" to remove any items found.
• Exit SpySweeper and reboot your computer.

NOTE: After SpySweeper has finished and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

After this scan, please post a new WinPFind log.

Hi,
Let's remove the files manually. Please post a new WinPFind log.

Hi jd51edwin,
WinPFind log looks clean. Can you run a full system scan of Webroot SpySweeper in Safe Mode? And, please download CCleaner and install it. While you are in Safe Mode, run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Hi angelopc,
Thanks for the input! Hope we will get rid of the "baddies"! By the way, turning off System Restore is not a good idea.

Hi jd51edwin,
Do the popups look like the one shown in this page?
http://swatrant.blogspot.com/2005/08/messenger-spam.html

Hi,
Welcome to Daniweb.
By the way, you can try the Nullsoft Install System to create the installer.

Hi,
There are still some files to delete. Let's use Avenger.
Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
C:\WINNT\SYSTEM32\ktpml7711.dll.ren
C:\WINNT\SYSTEM32\MKIDENT.DLL
C:\WINNT\SYSTEM32\__delete_on_reboot__DEomExt.dll.ren
C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll

• Now, run The Avenger program by double clicking its icon on your Desktop.
• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
• Paste the text copied to clipboard into this window by pressing Ctrl V keys.
• Click Done.
• Now click on the Green Light to begin execution of the script.
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

• It will Restart your computer.
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Please post a new WinPFind log along with the Avenger log.

Hi,
Open NotePad and copy the contents of the below "Quote" box to it:-

cd %windir%
attrib -s -r -h ms05275121909.exe
del ms05275121909.exe
attrib -s -r -h visfx500.exe
del visfx500.exe
attrib -s -r -h pf78.exe
del pf78.exe
attrib -s -r -h pms111x.exe
del pms111x.exe
attrib -s -r -h SYSC00.exe
del SYSC00.exe
attrib -s -r -h uni_eh.exe
del uni_eh.exe
attrib -s -r -h unin101.exe
del unin101.exe
attrib -s -r -h sys02909275121.exe
del sys02909275121.exe
attrib -s -r -h sys011909275122006.exe
del sys011909275122006.exe
attrib -s -r -h sys09219092751.exe
del sys09219092751.exe
attrib -s -r -h drsmartload45a.exe
del drsmartload45a.exe
attrib -s -r -h drsmartload46a.exe
del drsmartload46a.exe
attrib -s -r -h drsmartload849a.exe
del drsmartload849a.exe
attrib -s -r -h sys01190927512.exe
del sys01190927512.exe
attrib -s -r -h ms049275121902006.exe
del ms049275121902006.exe
cd Desktop
cd "Program Files"
cd "General Programs"
attrib -s -r -h sysguardfull.exe
del sysguardfull.exe
cd %windir%
cd "Downloaded Program Files"
attrib -s -r -h YSBactivex.dll
del YSBactivex.dll
attrib -s -r -h istactivex.dll
del istactivex.dll
cd\
attrib -s -r -h defender24.exe
del defender24.exe
attrib -s -r -h keyboard24.exe
del keyboard24.exe
attrib -s -r -h newname24.exe
del newname24.exe
attrib -s -r -h Trelew.exe
del Trelew.exe
attrib -s -r -h SS1001.exe
del SS1001.exe

In NotePad, go to File …

Hi,
Ok. Then it seems that everything's alright in this PC :)

Hi,
Please post a new WinPFind log. Let's what it shows.

Hi,

Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

And, delete this file:-
C:\WINDOWS\system32\O.0

HijackThis log looks clean. Is the PC running fine?

Hi,
Log looks clean :) Do you get any alerts from Windows Defender now?

Hi,
Can you run BlackLight in this PC also?

Hi,
Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.

Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

Hi,
Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here.

Hi,
Please follow the instructions provided in this thread. I will be locking this thread :D

Hi,
Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.

Hi,
No, Kaspersky Online Scan doesn't provide the removal facility. But, it's one of the best scanner out there.

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

Delete these folders:-
C:\Documents and Settings\Kyles\Application Data\Flap Funk

Next, right-click on the "Recycle Bin" icon and click "Empty Recycle Bin" and then click "OK" to delete the contents of Recycle Bin. And, right-click on the "Recycle Bin" icon again, and click "Empty Norton Protected Files", if you have Norton AntiVirus installed in the PC.

Reboot the PC. Run HijackThis again and please post a fresh log.

Hi,
Glad to hear that everything's alright now :D Actually, that "red circle with cross" in System Tray and the changed wallpaper are due to the Smitfraud/Spyfalcon family of malware. When you see any symptoms in future, the malware files should be removed first (using tools like SmitfraudFix). Most of the times, tools like SmitfraudFix are able to restore the Desktop background too.
But, if they fail then Smitfraud.reg can be used to restore the Registry settings related to Desktop background. But, Smitfraud.reg is only a Registry entry file, and is not a Smitfraud/Spyfalcon removal tool.

[Edit]
I think everything's ok now, shall I lock this thread?

Hi,
WinUpdate.fld is related to an adware. Please delete it. And, the Snowball Wars is also a adware/spywar, delete it too!lly yet.

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Uninstall this Software from Add/Remove Programs in Control Panel:-
Weather Bug or The Weather Channel

Delete this folder:-
C:\Program Files\Weather

Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.

Hi,
Yes, Ad-Aware's Ad-Watch (and other similar monitoring programs) don't allow changes to Registry or browser settings. So, the entries removed in HijackThis tend to come back. Ad-Watch should be disabled while using HijackThis.

By the way, log looks clean :D To prevent the installations of browser based spyware/adware/toolbar, you can use SpywareBlaster. It's a run-once tool and is more like "immunization" than "removal" (don't forget to disable the Ad-Watch while installing and running SpywareBlaster).

Hi,
Yes, Look2Me was interfering with other fixes. That's why Qoolfix wasn't working! Now, it's gone. Log looks clean :D

Hi,

Glad to hear that popups are gone! But, you haven't posted the complete contents of the HijackThis log. There can be other things that need to be removed. So, please post a new HijackThis log.

But before running HijackThis, uninstall this software from Add/Remove Programs in Control Panel, if you find it:-
IPWins

Delete this folder:-
C:\Program Files\ipwins

After uninstalling and deleting the above mentioned folder, run HijackThis and please post a new log.

Hi,
Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click "Look2Me-Destroyer.exe" to run it.
• Put a check next to "Run this program as a task."
• You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the "Remove L2M" button.
• You will receive a "Done Scanning" message, click "OK".
• When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop thats where the log will be.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

================================

Also, Please download the 2-week trial version of WebRoot SpySweeper from HERE.
Alternate download site.
Alternate download site.
Alternate download site.

• Click on Free Spy Scan.
• On the next page, click on Start Scan Now
• Save the Setup file to your Desktop>click OK.
• Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for …

Hi,
Yes, Look2Me's gone! Now, there's one last thing to remove from, it's the Qoologic spyware. Actually, we should again use the BFU and Qoofix.bat tool that was previously. This tool should remove the Qoologic, but it failed to remove, when it was used last time, because Look2Me spyware deletes some Registry keys which are used by BFU and Qoolfix.bat combo.

So, here's the steps to remove Qoologic. You may have these files already, but I will post this for your reference:-

Please download
Brute Force Uninstaller to your desktop. (rightclick
on this link and choose save as, if using IE save target as)

• Right click the BFU folder on your desktop, and choose Extract
  All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:\) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and
  then click "Finish".
• Download
  qoofix.bat (rightclick on this link and choose save
  as, if using IE save target as)
• Place qoofix.bat in your C:\BFU - folder.
  (Important!)
• Doubleclick qooFix.bat, Close all browsers and explorer folders.
• Choose option 1 (Qoolfix autofix) and follow the prompts.
• Please be patient, it will take about five minutes.
• After the PC has restarted please post another HijackThis log.

Hi,
System looks quite clean now. The files detected by Kaspersky are located inside the Norton's Quarantine folder, so they shouldn't pose any problem. You can delete the items in Quarantine using the options provided in the Norton AntiVirus interface.

Delete these two files (these are backups created by Avenger):-
C:\avenger\backup.zip
C:\avenger\backup_PC 060506.zip

Yes, it was a typo! I forgot to provide the actual name of the service there! Here's the correct version, go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named Microsoft WMI Performance Adapter AddOn and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".

Next, go to Start Menu > Control Panel. Here, double-click on the Internet Options icon, to open the Internet Options applet. Here, click the "Delete Files". Now, select the option "Delete all offline content" and click "OK". Next, click "Apply" and then "OK".

Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Restart the PC, and …

Hi,
I think it's better to do a Repair Install of Windows. Repair Instal doesn't remove any old files, but it will search and replace deleted/corrupt system files. This page shows how to do it:-
http://helpdesk.its.uiowa.edu/windows/instructions/repairinstall.htm
(Please read above page before performing Windows Repair Install)

Hi YoungNation,

Please follow this thread. I am locking this thread :)

Hi,
Download CCleaner and install it. Do not run it now!

Download and install Ewido Security Suite v3.5. After download, double click on the file to launch the install process. After installation, launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update. Exit Ewido when done - DO NOT perform a scan yet.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarCU/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchUrl/YSetSearch/*http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gnrpjwn.exe
O2 - BHO: (no name) …

Hi,
Do you have Dell PC? I think Dell PCs have slightly different methods to boot into Safe Mode or to use System Restore feature.

Dell Safe Mode Info

Dell System Restore Info