Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
[*] Run HijackThis [*] Click on the Scan button
[*] Put a check beside all of the items listed below (if present):
[*] Close all open windows and browsers/email, etc... [*] Click on the "Fix Checked" button
[*] When completed, close the application.
Now lets check some settings on your system.
(2000/XP) Only In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns then hit enter, type exit hit enter
(that space between g and / is needed)
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Post a fresh HijackThis log(version 1.99.1), FixWareout report(C:\fixwareout\report.txt) and VundoFix report.
Logfile of HijackThis v1.99.1
Scan saved at 2:06:58 AM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp3.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {f9202b19-83c3-4d26-aa08-4bf33b425343} - C:\WINDOWS\system32\cryiqv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
O4 - HKLM\..\Run: [COMODO firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\urppqo.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab56907.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/we...outLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cryiqv - C:\WINDOWS\SYSTEM32\cryiqv.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\System32\taskmang.exe
.................
Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmyzy"
HKLM\SOFTWARE\~\Winlogon\ "System"="csbeh.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
.............
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 2:12:42 AM 4/17/2007
Listing files found while scanning....
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
1. Download this file - combofix.exe and save it to your desktop.
2. Go to start -> run.
type this in box and click ok
3. When finished, it shall produce a log for you. Post that log in your next reply
4. Reboot
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Open HijackThis, press do a system scan only, checkmark these lines:
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\urppqo.dll",realset
O20 - AppInit_DLLs: Next, close all others windows and press Fix checked.
Please do a hidden files be seems:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Reboot your computer in Safe mode:
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.
Once in Safe mode:
Delete these files:
C:\WINDOWS\System32\lsasss.exe C:\WINDOWS\System32\svehost.exe C:\WINDOWS\System32\clcl3.exe C:\WINDOWS\urppqo.dll
Reboot in Normal mode.
Post a fresh HijackThis log, FixWareOut log, FindAWF log and ComboFix log.
Thanks for all the help however I did encounter a few problems during the process.
I did as you said except I couldn't seem to run Combofix and therefore couldn't get a log. When I typed "%userprofile%\desktop\combofix.exe" /v cryiqv vqiyrc tmp3.tmp into 'Run', the Combofix Window would only flash on my screen for a second and nothing else would happen.
Also, when I rebooted my computer in Safe Mode to delete the files that you mentioned, my computer wouldn't allow me to delete C:\WINDOWS\System32\lsasss.exe or C:\WINDOWS\System32\svehost.exe . When I tried to delete those two files an error would come up reading "Cannot delete: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." I also couldn't find the C:\WINDOWS\urppqo.dll file.
Anyway, here is the fresh HijackThislog, FixWareOut log and FindAWF log that I could get.
Logfile of HijackThis v1.99.1
Scan saved at 3:44:20 PM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BootService"="rundll32.exe \"C:\\WINDOWS\\efffdc.dll\",realset"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
It should look like this -> Do NOT click this yet, because this file must be to run in Safe mode.
Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once the scan is complete, Right Click inside the listbox (white box) and click add more files
[*]Copy&Paste the entry below into the top box:
[*]Click Add Files and Click Close Window
[*]Click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
Once in Safe Mode
Doubleclick delete.bat; black dos windows will flash, that's normal.
Please run Killbox.
Select "Delete on Reboot".
click All Files
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
I couldn't get a VundoFix Log as when I ran VundoFix it reported that my computer had no infected files...however here is the HijackThis and FindAWF Log as requested.
Logfile of HijackThis v1.99.1
Scan saved at 2:52:13 AM, on 4/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.
Doubleclick delete.bat; black dos windows will flash, that's normal.
Delete this folder:
C:\PROGRA~1\MSNMES~1\BAK
[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post a fresh HijackThis log, SDFix log and FindAWF log.
Hi again and again, thanks for all your help.
Here is the HijackThis log, SD Fix log and FindAWF log.
Logfile of HijackThis v1.99.1
Scan saved at 10:57:12 PM, on 4/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Please send this file to virustotal and post the results here:
C:\WINDOWS\system32\AE98483D86.sys
1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd 2. Copy/paste or type the following in the command window:
C:\blbeta.exe /expert
3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.
Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.
Post a fresh HijackThis log, ComboFix log, Blacklight log and virustotal results.
Logfile of HijackThis v1.99.1
Scan saved at 2:52:16 AM, on 4/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.19.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 no virus found
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2205 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.19.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found
Aditional Information
File size: 56 bytes
MD5: af270ea6fa5856d2cacbe0711427accf
SHA1: 7a4b6d2e21dae2177853c1b81c5f08b20f66bfc3
Once in Safe mode:
Delete this file:
C:\WINDOWS\system32\mt_32.dll
Reboot in Normal mode.
Open HijackThis, press do a system scan only, checkmark these lines:
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm Next, close all others windows and press Fix checked.
2. Go to start -> run.
type this in box and click ok
"%userprofile%\desktop\combofix.exe" /v geeefc
3. When finished, it shall produce a log for you. Post that log in your next reply
4. Reboot
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please post a fresh HijackThis log and Combofix log.
Logfile of HijackThis v1.99.1
Scan saved at 2:14:41 AM, on 4/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
[*]Open HijackThis [*]Press Open the Misc Tools section [*]Press Delete a file on reboot [*]Find this file:
C:\WINDOWS\geeefc.dll [*]Press Open [*]Computer ask for you that do you want to restart your computer [*]Press Yes
Please post a fresh HijackThis log and ComboFix log :D
thanks again muuli123
here is the HijackThis and ComboFix logs
Logfile of HijackThis v1.99.1
Scan saved at 12:05:20 PM, on 4/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
What firewall you use? If you don't use anything firewall, please download one.
I recommend one of these:
Link Link Link
Please download AVG anti-spyware to your Desktop or to your usual Download Folder, from HERE [*]Install AVG Anti-Spyware by double clicking the installer.
[*]Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
[*]On the main screen under Your Computer's security.
[*]Click on Change state next to Resident shield. It should now change to inactive.
[*]Click on Change state next to Automatic updates. It should now change to inactive.
[*]Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
[*]Wait until you see the Update succesfull message.
[*]Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Don't run a scan yet.
Remove via Add/Remove application:
WhenUSave, WhenU, SaveNow(or something similar name)
Reboot your computer in Safe mode.
Once in Safe mode:
Delete this files/folders:
C:\Program Files\vvsn C:\Program Files\popcap games C:\WINDOWS\popcinfo.dat
RUN AVG ANTI-SPYWARE Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
[*]Click on Scanner on the toolbar.
[*]Click on the Settings tab.
[*]Under How to act? [*]Click on Recommended Action and choose Quarantine from the popup menu.
[*]Under How to scan? [*]All checkboxes should be ticked.
[*]Under Possibly unwanted software: [*]All checkboxes should be ticked.
[*]Under Reports: [*]Select Automatically generate report after every scan and uncheck Only if threats were found.
[*]Under What to scan? [*]Select Scan every file.
[*]Click on the Scan tab.
[*]Click on Complete System Scan to start the scan process.
[*]Let the program scan the machine.
[*]When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. [*]Make sure that Set all elements to: shows Quarantine(1), if not click on the link and choose Quarantine from the popup menu. (2) [*]At the bottom of the window click on the Apply all Actions button. (3)
[*]When done, click the Save Scan Report button. (4) [*]Click the Save Report as button.
[*]Save the report to your Desktop.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal mode.
Please Update your Java and Remove old Java Versions
[*] Download the latest version of Java Runtime Environment (JRE) 6u1 .<== scroll down the list to find THIS entry [*] Click the "Download" button to the right.
[*] Check the box that says: "Accept License Agreement".
[*] The page will refresh.
[*] Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Remove older Java Versions:
[*] Close any programs you may have running - especially your web browser.
[*] Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
[*] Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*] Click the Remove or Change/Remove button.
[*] Repeat as many times as necessary to remove each Java versions.
[*] Reboot your computer once all Java components are removed.
Install latest Java Version:
[*] From your desktop, double-click on jre-6-windows-i586.exe to install the newest version.
Please post a fresh HijackThis log, ComboFix log and AVG Anti-Spyware report.
Hi again :)
I downloaded the AVG Anti Spyware Program
however, i couldn't change the 'change state' next to the 'Resident Shield' and 'Automatic updates' to 'inactive' because it said n/a
i also couldn't 'update' it, because when i clicked on the 'Update Now' button an error appeared.
Anyway i was able to complete perform the rest of what was asked so here are the logs you requested.
HKLM\SOFTWARE\AntivirusGold -> Adware.AntiVirusGolden : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0090691.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0090692.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0090693.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/tmp1C.tmp.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/tmpDD.tmp.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094176.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094179.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068214.dll -> Adware.Yatool : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068470.dll -> Adware.Yatool : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068485.dll -> Adware.Yatool : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069665.dll -> Adware.Yatool : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091710.dll -> Adware.Yatool : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/taskmang.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068213.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068484.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094164.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094174.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/tmp4.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094178.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0093889.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\cryiqv.dll.vir -> Downloader.ConHook : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0095254.dll -> Downloader.ConHook : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068215.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068217.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068218.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068471.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068473.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068474.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068486.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068488.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068489.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069667.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069669.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069670.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091703.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091705.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091711.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP204\A0074474.rbf -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP205\A0074616.rbf -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP220\A0088535.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091695.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091697.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091698.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091699.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091702.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\khooker.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070427-184535-350.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.117:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.118:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.119:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.120:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.121:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.139:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.167:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.49:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.50:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.71:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.72:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.73:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.144:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.145:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.146:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.147:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.148:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.57:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.54:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.55:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.56:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.19:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.20:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.21:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.22:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.23:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.24:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.25:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@as.casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.176:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.52:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.170:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.171:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.172:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.122:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.125:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.185:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.186:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.187:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.188:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.90:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.27:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.29:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.174:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.160:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.61:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.62:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.63:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.64:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.65:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.66:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.67:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Lida\Cookies\lida@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068216.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068472.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068487.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069668.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091704.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP220\A0089536.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0089578.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0091662.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP222\A0091681.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091712.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0092817.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094106.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP234\A0095506.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp39.tmp.dll.vir -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0095249.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1.tmp.dll.vir -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/tmp1.tmp.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/tmp2.tmp.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091706.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091707.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091708.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091709.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0092814.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0092825.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094175.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094177.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0095248.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091696.exe -> Trojan.Dialer.cj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091700.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091701.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
::Report end
. . . . .
Logfile of HijackThis v1.99.1
Scan saved at 02:40, on 07-04-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
. . . . .
Logfile of HijackThis v1.99.1
Scan saved at 1:54:31 PM, on 4/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Click Firefox at the top and choose: Select All Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Opera at the top and choose: Select All Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
-------------------------------
Clean your System Restore:
Turn off System Restore. On the Desktop, right-click My Computer Click Properties Click the System Restore tab
Check Turn off System Restore Click Apply, and then click OK
Reboot.
Turn on System Restore. On the Desktop, right-click My Computer Click Properties Click the System Restore tab
Uncheck Turn off System Restore Click Apply, and then click OK
