can some one help me please..im new here i have problem about kavo.exe application error when i switch on my computer. the instruction at "0x1001fa1" referenced memory at "0x000000ff". the memory could not be "read" i dont know what this kavo application for?.. but i cant use my yahoo messenger i already reformat may computer but still kavo not erased please help me thnx a lot god bless guys.....
hi, need a reference point to start, a hjt log would be good. you must have not done a clean reinstall of windows as a reformat would have wiped your HD and anything on it. hjt: HiJackThis log - Trend Micro HijackThis 2.0.2 http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe * Save HJTInstall.exe to your desktop. * Doubleclick on the HJTInstall.exe icon on your desktop. * By default it will install to C:\Program Files\Trend Micro\HijackThis . * Click on Install. * It will create a HijackThis icon on the desktop. * Once installed, it will launch Hijackthis. * Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. * Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in your next reply
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:49:09 AM, on 7/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Subversion\bin\svnservice.exe C:\Program Files\Subversion\bin\svnserve.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\nutsrv4.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Babylon\Babylon.exe C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\Media Access\MediaAccess.exe C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe C:\Program Files\Rainlendar\Rainlendar.exe D:\Daniel\Softwares\Internet\jabber(all pluggin)\jajc.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ping.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\daniel\Desktop\HiJackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cujae.edu.cu/proxy.pac F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,igfxtha.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe" //MS//Tomcat6 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1123561945-515967899-725345543-1004\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'postgres') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe O4 - Startup: Shortcut to jajc.lnk = D:\Daniel\Softwares\Internet\jabber(all pluggin)\jajc.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: Google Talk.lnk = C:\Program Files\Google\Google Talk\googletalk.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EB5D01-3C2F-4DCA-9C17-BED49EAC1F50}: Domain = cujae.edu.cu O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EB5D01-3C2F-4DCA-9C17-BED49EAC1F50}: NameServer = 10.8.176.4,10.8.176.6,10.8.1.70 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\svnservice.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe -- End of file - 11104 bytes
Hi dpages, To remove the kavo.exe and tavo.exe infection. Keep in mind this infection can be accompanied by other infections as well. We strongly suggest running this fix and posting a fresh HijackThis log. Then wait for someone to check it over. Please do not delete anything unless instructed to. Please download ATF Cleaner by Atribune. Here -> Download – ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Next: Please download Malwarebytes' Anti-Malware to your desktop. • Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform quick scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Be sure that everything is checked, and click Remove Selected. • When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Also "copy/paste" a new HijackThis log file into this thread. 2OG
@ echoreply, Sorry if I was rude and shouldered in on you. I was bored and was watching this for your reply.. I'll get dpages and you can have kasmuther. If it gets to hectic, I'll move him... : )
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:40:51 PM, on 7/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Subversion\bin\svnservice.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\system32\nutsrv4.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Babylon\Babylon.exe C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe C:\Program Files\Rainlendar\Rainlendar.exe D:\Daniel\Softwares\Internet\jabber(all pluggin)\jajc.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\daniel\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cujae.edu.cu/proxy.pac F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,igfxtha.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe" //MS//Tomcat6 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1123561945-515967899-725345543-1004\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'postgres') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe O4 - Startup: Shortcut to jajc.lnk = D:\Daniel\Softwares\Internet\jabber(all pluggin)\jajc.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: Google Talk.lnk = C:\Program Files\Google\Google Talk\googletalk.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EB5D01-3C2F-4DCA-9C17-BED49EAC1F50}: Domain = cujae.edu.cu O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EB5D01-3C2F-4DCA-9C17-BED49EAC1F50}: NameServer = 10.8.176.4,10.8.176.6,10.8.1.70 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\svnservice.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe -- End of file - 10813 bytes
Ok dpages, That missed the Trojan. Let’s see if we can get it with this: Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to the drive that contains the Windows Directory, typically C:\SDFix Please then reboot your computer in Safe Mode by doing the following : • Restart your computer • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; • Instead of Windows loading as normal, the Advanced Options Menu should appear; • Select the first option, to run Windows in Safe Mode, then press Enter. • Choose your usual account. • Open the extracted SDFix folder and double click RunThis.bat to start the script. • Type Y to begin the cleanup process. • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. • Press any Key and it will restart the PC. • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). • Finally paste the contents of the Report.txt back on the forum with a new Hijack This log 2OG
SDFix: Version 1.206 Run by daniel on Fri 07/18/2008 at 05:38 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\autorun.inf - Deleted Removing Temp Files ADS Check :
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:20:11 PM, on 7/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Subversion\bin\svnservice.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\system32\nutsrv4.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Babylon\Babylon.exe C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe C:\Program Files\Rainlendar\Rainlendar.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe D:\Daniel\Softwares\Internet\jabber(all pluggin)\jajc.exe C:\WINDOWS\system32\ping.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\daniel\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cujae.edu.cu/proxy.pac F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,igfxtha.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe" //MS//Tomcat6 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1123561945-515967899-725345543-1004\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'postgres') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe O4 - Startup: Shortcut to jajc.lnk = D:\Daniel\Softwares\Internet\jabber(all pluggin)\jajc.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: Google Talk.lnk = C:\Program Files\Google\Google Talk\googletalk.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EB5D01-3C2F-4DCA-9C17-BED49EAC1F50}: Domain = cujae.edu.cu O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EB5D01-3C2F-4DCA-9C17-BED49EAC1F50}: NameServer = 10.8.176.4,10.8.176.6,10.8.1.70 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\svnservice.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe -- End of file - 10973 bytes
Hi dpages, Well, I see you have been busy collecting Malware… This Log is more infected that your first log was.. The ONLY WAY I’ll be able to help you clean your machine is for you to follow the instructions AND limit your internet activity.. We must start over at ground zero………… I will be giving you a series of instructions that need to be followed in the order in which I give them to you. If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again. Please do not start another thread or topic, I will assist you at this thread until we solve your problems. Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same. That said, All advice given by anyone volunteering here, is taken at own risk. While best efforts are made to assist in removing infections safely, unexpected stuff can happen. Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware Free • Double-click SUPERAntiSypware.exe and use the default settings for installation. • An icon will be created on your desktop. Double-click that icon to launch the program. • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) • Under the "Configuration and Preferences", click the Preferences... button. • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): o Close browsers before scanning. o Scan for tracking cookies. o Terminate memory threats before quarantining. • Click the "Close" button to leave the control center screen and exit the program. • Do not run a scan just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. • Under Main "Select Files to Delete" choose: Select All. • Click the Empty Selected button. • If you use Firefox browser click Firefox at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • If you use Opera browser click Opera at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Scan with SUPERAntiSpyware as follows: • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer. • On the left, make sure you check C:\Fixed Drive. • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next". • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". • Make sure everything has a checkmark next to it and click "Next". • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. • If asked if you want to reboot, click "Yes" and reboot normally. Reboot to Normal Mode • To retrieve the removal information after reboot, launch SUPERAntispyware again. o Click Preferences, then click the Statistics/Logs tab. o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. o Please copy and paste the Scan Log results in your next reply. • Click Close to exit the program. Download and Run Combofix Download ComboFix from Here to your Desktop. • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". • Double click combofix.exe and follow the prompts. • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall. Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Make a HijackThis Log • From the desktop open Hijackthis. • If using Windows Vista, Right-click and Run As Administrator. • Click on the Do a system scan and save a log file button • Hijackthis will scan and then a log will open in notepad. • Copy and then paste the entire contents of the log in your post. Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required Make an uninstall list using HijackThis To access the Uninstall Manager you would do the following: 1. Start HijackThis 2. Click on the Config button 3. Click on the Misc Tools button 4. Click on the Open Uninstall Manager button. 5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply. Please post the HijackThis log, SUPERAntiSpyware Log, Uninstall list and Combofix log in your next reply. Remember, it is very important to post ALL of the Logs requested. It’s the ONLY WAY that I can SEE what’s going on in your computer and you must TELL ME what is happening on your end as well…. Regards
