Posts by 'Stein

Alrite great, let's begin by uninstalling anything in the Add/Remove Programs list having to do with "QBU"

Next, follow by downloading Ewido Security Suite.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click Update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"

  -=-=-=-=-=-=-==-==-=-= End here to download but not scan -=-=-=-=-=-=-==-==-=-=
  

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Next, fix the following with HJT:

O4 - HKLM\..\Run: [QkOnBtn] C:\Program Files\QBU\QkOnBtn.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Alrite, you're infected with a SpyAxe variant.

Let's begin by downloading
SmitfraudFix. Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Next, download the trial version of Ewido.

• Install Ewido.
• When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
• When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
• The program will prompt you to update. Click the Ok button.
• The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update Button.
• Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update Ewido. Make sure to close Ewido before installing the update.

Next, download CCleaner, specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display …

Hmm, have ya tried disabeling your firewall and trying again?

Thanks.

If ya could repost the log without all the line spaces inbetween each entry, it'd be great.

Thanks.

Chrissa, if ya could post in a new thread, it'd be great.

Hmm, so Nod32 and IE don't work, but FireFox and AOL do.

You have DSL/Cable, right?

Ok, log's clean. Now we're gonna try reinstalling IE. The reason cookies come up nearly every scan is because they come from surfing the internet.

Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then, go to start-->run

and type this in:
notepad

Paste this into the box:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{89820200-ECBD-11cf-8B85-00AA005B4383}]
"IsInstalled"=dword:00000000

Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file

Now double click on fixreg.reg and insert it into the registry.

Then, go here, and reinstall Internet Explorer:
Internet Explorer Update

Arg, sorry we're jus getting to ya now.

Could ya post a more recent log?

Thanks.

Ok, more researching done by I.

Here's what I found--wouldn't hurt to try it out:

In Windows NT/2000/XP it is possible to move the files so that they cannot be reloaded. Open the Command prompt (Start -> Programs -> Accessories) and type:

cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

Reboot and load the Command prompt again. Type:

cd "%WinDir%\Downloaded Program Files"
del cns*.*

The first time you reboot after deleting or moving CnsMin you'll get an error about not being able to find it. Ignore this. To clean up the remaining traces of the software that cause this, open the registry (Start -> Run -> regedit) and delete the following keys:

HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsHelper.CH.1
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1
HKEY_CURRENT_USER\Software\3721
HKEY_LOCAL_MACHINE\Software\3721
HKEY_LOCAL_MACHINE\Software\InterChina
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CnsMin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin

After tryin this out, post back and tell us youre status, along with a new HJT log.

Thanks.

Arg, let's post a new HJT log.

Thanks.

Hmm, the Ewido log's clean except for cookies, which is alrite.

The HJT log is clean, except for 1 entry. Fix the following:

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop

Now thinking about it, it wouldn't hurt to redownload IE.

Follow these steps:

Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then, go to start-->run

and type this in:
notepad

Paste this into the box:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{89820200-ECBD-11cf-8B85-00AA005B4383}]
"IsInstalled"=dword:00000000

Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file

Now double click on fixreg.reg and insert it into the registry.

Then, go here, and reinstall Internet Explorer:
Internet Explorer Update

After doing all of this, post back with an update on how it's comin along.

Thanks.

Heh the folder issue has to do with backing up actions done, and fixing them if the wrong one is chosen.

For example, if ya accidently checked the wrong box, and fixed it, and it killed a program, for example. You could fix this if the program was in a permenant folder, but not if the program was in a temporary folder.

I looked at the Ewido log--only cookies, which is good to see.

However, I'n not likin the PartyPoker too much.

Let's begin by going to the Add/Remove Programs list and uninstalling the following program:

PartyPoker

After doing this, open up HJT and check the following:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

After checking these, close ALL other windows (including this one) and hit 'fix checked'.

Then, delete this folder:

C:\Program Files\PartyGaming\PartyPoker

After doing this, restart the computer and post a new HJT log.

Thanks.

Hah, no worries about posting. We do it for the fun of it anyways :)

For the CCleaner:

1) yes, include all of the ones ya listed, although some of those will not have every folder.

2) Yes, use that folder instead, that works too.

Thanks again.

Haha ya, I'd second that. I already use it in fixes here.

However, after installing, ya need to configure it to scan some custom files:

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After adding these in custom, be sure to check the box inside the 'clean' tab.

Ya, and lastly, just make this post a new thread next time.

Thanks.

Arg, shoot, I screwed it up.

Thanks for the correction...:cheesy:

Ya, agreed. Also, iTunes is a great way to organize files and play them on your computer too.

Lastly, Limewire is free.

Ya, and roger that about posting a new log...

Thanks.

Hmm, that sounds like a hardware prob, but we'll double check that.

Download HijackThis (current verison is v1.99.1)

or here (Alternate 1, a self-extracting zip file)
or here (Alternate 2, an *.exe file)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

• C:\HijackThis\
• C:\Programs\hijackthis\
• C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Thanks.

Ok good, I like that L2Me fix. However, since 1 scan doesn't always remove all the files.

Therefore, run Look2Me-Destroyer once again, following the same directions as before.

After running completely (and rebooting),

run SpySweeper again, saving the log.

Then, with HJT, fix the following:

O20 - Winlogon Notify: DH - C:\WINDOWS\system32\dn2401fqe.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

After fixing, restart the computer and post back here with the L2Me scan, SpySweeper scan, and a new HJT scan.

Thanks.

Yep, all clean.

The critical objects thing--generally, it classifies 'cookies' as critical objects, so oftentimes this is why they occur so frequently.

If ya could mark the thread as solved, it'd be incredible.

Thanks.

Arg, stupid me missed the L2Me infection.

Do the following:

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.

You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.

Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Thanks.

Arg...you're right.

Ya kno what,,, just ignore the custom folders, and run scans anyways.

Sorry for the trouble.

Thanks.

Hmm I don't see anything in the log, but that could mean several things.

Let's do simple first.

Open HJT, and fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Now, begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
…

Hmm well several things.

1) download FireFox (link in my sig below). It should give ya alittle more leeway (NOTE: if it asks ya to transfer settings, say no).

Also, FF is a much safer way of browsing anyways, so I'd keep it after this fix.

Second, if that doesn't work, you could possibly burn the logs to a cd/floppy/memory key and transfer them from computer to computer.

Let us know of your plan of action.

Thanks.

Well, just to be safe, let's run CCleaner:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' tab, and inside …

Good good, I don't see any more L2Me signs in the post anymore (but ill let tayspern 2nd that :) ).

I don't see anything else in the HJT log either.

Are ya still having problems?

Thanks.

Arg, alrite, ya have a dillemma. You have a program on your computer called MyKazaaGold. Im pretty sure its a paid program. However, it has spyware embedded inside of it. Therefore, the simple answer is to uninstall it. But, not everybody does.

Personally, I'd recommend uninstalling it, and switching to another P2P network, such as Limewire, but that decision is up to ya.

I'm going to treat the following fix as though you are going to remove it. If ya decide not to, post back, and we'll have to revise the fix instructions.
_______________________________

Begin by uninstalling Kazaa through the Add/Remove Programs list.

Now, begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My …

Ok, that's cool. What we'll do instead is run CCleaner and then after that, an online Panda scan.

Directions for the entire process using CCleaner:

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) availble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
________________________________________________________________________________

Step 1.
==========
Please download and install CCleaner from here
(Note: DO NOT run this program yet)

Step 2.
==========
Download program tayspern linked to above.

- After the files are extracted, please reboot your computer into Safe Mode.

Step 3.
==========
- Reboot computer into "Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - here)

Step 4.
==========
We need to make sure all Hidden Files are showing so please:
* Open "My Computer" then click on "Tools" and from the drop down menu select "Folder Options".
* Select the "View" tab.
…

Ok, you're not THAT infected--and we can fix all of it.

Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

Download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Follow by downloading CCleaner, and specifically choosing the most recent version.

Next, follow these steps for configuring CCleaner:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and …

EDIT: Heh, nizzy beat me to it. Follow his intructions.

Ahh, the obnoxous AIM virus. Heh well ya came to the right place :)

First off, I wanna mention I don't see anything too bad in the log, which is good.

Begin by downloading Ewido Security Suite.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click Update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"

  -=-=-=-=-=-=-==-==-=-= End here to download but not scan -=-=-=-=-=-=-==-==-=-=
  

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find …

Now, uninstall the following:

PartyPoker

Then, check the following in HJT:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

After doing this, reboot into safe mode and delete this folder:

C:\Program Files\PartyPoker

Reboot into normal mode again.

Then, begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. …

Ya might wanna try using this article.

However, I wouldnt recommend it if ure not to familiar with computer (I have a feeling ya are), cause it uses RegEdit.

Just be careful with regedit.

Thanks.

Well, have ya tried disabeling Norton AntiVirus from running on start up, restarting the computer, and running it again?

If not, try this, and then post back here on how it worked.

Thanks.

Arg, post a new HJT log (as said Tayspern), and then try running SpySweeper in safe mode. I'm not liking how it didnt scan too well.

Thanks.

Hi, welcome to daniweb. You're sorta infected, but its all stuff we can fix. NOTE: Save these directions to a notepad file, to the desktop, as you will not be able to access the internet while in safe mode.

Let's begin by doing the following:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user …

Hmm, I dunno if we've tried this already, but have ya tried running SpySweeper in safe mode?

If not, let's try that.
If so, post back and we'll work from there.

Thanks.

Yep, all clean.

Glad we could help :)

Thanks.

Yes, several problems. First off, all I say is that you're INFESTED, but it can all be fixed. Second, ya didn't include the header that lists the HJT version, IE version, and Windows version.

Post the header nxt time please :)

Lets begin by doin several things.

First, uninstall EQAdvice through the Add/Remove Programs list.

Then, completely update Ewido (I already see its installed), but DONT run it yet.

Next, download SpySweeper (link in my sig below). Update all its definitions, but don't run a scan yet.

Next, begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, …

Jeez dude, ya were LOADED .

Ok, not all of it is gone yet tho, so let's do this.

Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "delete on reboot" and put a check in the "unregister dll.

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\YWJoYQ\asappsrv.dl

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

After this, run SpySweeper again, and repost a log here.

We'll work from there then.

Thanks.

Hell ya, it caught it!
And cha, the HJT looks clean too.

Are ya still having problems? If no, still respond back, as I gotta fix a few more things before ya leave.

Thanks.

Haha no worries, use ahead. If ya want, post back and ill send ya some other canned msgs. i use (Spyaxe fix, L2me Fix, Vundofix, Nail fix, resetting system restore, reinstalling IE, etc...)

Good good, it's all lookin incredible.

However, to triple check everything, run Kasperky 1 more time (the same scan ya ran in the very beginning), and verify it doent find the virus again.

Now for AV stuff. Just so ya kno ahead of time, Webroot SpySweeper isn't permenantly free--after 14 days, it expires completely, unless ya want to buy it.

For an antivirus I would strongly recommend downloading AVG. It's free, and top of the line anyways. Here:

http://free.grisoft.com/doc/2/lng/us/tpl/v5

Keep ewido--after 14 days, the automatic updates will expire, all that means is that you'll have to update manually before scans (basically, ya have to hit the 'update' button before scanning)

Lastly, I would dl Microsoft Defender, as it is a good 'realtime' spyware deferrent.

Here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en

Afer doing this, tell me what your plan of action is, and we'll go from there.

Thanks again (and sorry for the late reply).

Ahh great, thanks alot :)

Ok, this'll be my last post for teh nite--gotta go study for tmr, but ya, post all of the scans, and Ill take a look at them tmr sometime (prly around 8pm) and get back to ya.

Thanks.

Hmmm, did Mcafee prevent ya from dling and running the program?

Cause the scan from the program itself is a fair amount more thorough.

If ya can get it to dl and run, it'd be incredible. If not, it's ok.

Still looking forward for that SpySweeper scan log.

Thanks.

Yep, if ya could do that, it'd be great. Ya might have a few problems tho--often times, AVs are known for having bloody uninstallers.

If it gives ya a ton of problems, then just ignore it and continue on with the fix--we can always delete it at the end.

Thanks.

Hmm alrite. The log's clean, but I wanna run some other tests. And ya, it was expected that the startpages would be deleted. That should be easy to replace.

By the way, what is McAfee tellin ya in those beeps and popup screens?

Alrite, now, we're gonna download 2 programs, Ewido and SpySweeper (links can be found in my signature below).

Download both, update definitions for both, and run scans with both (normal mode, not safe mode, should be fine).

After running both, save both of the scan logs.

Post both of the scan logs back here, and we'll work from there.

Thanks.

Yes, you're fine as long as ya delete the contents of this file:

C:\Documents and Settings\<User>\Local Settings\Temp

All of the files in here are *.tmp

Lastly, I would rather ya use CCleaner in comparison then any other one, simply because I know how to use it, and I know it doesn't have imbedded spyware or anything similar.

After ya finish up with that, reboot into normal mode again (simply restart the computer), open HJT, and check the following:

Check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop

After checking, close all of the other windows and hit 'fix checked'.

After doing this, restart the computer and post a new log.

Thanks.

Heh sorry for bein unclear.

Yes, download the program and then put in the custom folders.

After this, shut down the computer. Wait 30 seconds. Then, restart the comupter, constantly hitting F8 until a screen comes up. Choose 'Safe Mode', and let it open. Then, run CCleaner.

The only thing safe mode does is limit the number of startup processes that turn on.

After doing this, come back and i'll list what ya need to check in HJT.

Thanks.

Alrite great, first off, Ill let ya do this while we go thru the log: (NOTE: Be sure to run the scan in Safe mode)

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every …

Ok, great. I'll help ya with it all.

First, let's turn system restore back on.

Then, after that, download HijackThis, a diagnostic software. After downloading, move the icon from the folder to the desktop, and open it.

Run a scan and save the log.

Post the log back here and we'll help ya out.

Thanks.

Yep, you're sorta infected.

Let's start by uninstalling the following using Add/Remove Programs:

Accoona
Spyware Nuker

Then, download Ewido Security Suite.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click Update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"

  -=-=-=-=-=-=-==-==-=-= End here to download but not scan -=-=-=-=-=-=-==-==-=-=
  

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

After this, download CCleaner.
Then, follow these steps:

1. Close all programs so that you …