Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

About jwbirdsong

  • Rank
  • Birthday 08/02/1957

Contact Methods

  • Website URL
  • ICQ

Profile Information

  • Location
    Denver CO USA

Previous Fields

  • Teams:
    Nothing Selected
  1. mattia74 sorry I seem to have let this post slip through the cracks...... Would you boot to safe mode and delte all the files that Panda didn't clean C:\Documents and Settings\Mattia\Favorites\exsplorer.lnk C:\WINDOWS\color.css C:\WINDOWS\inf\bi.inf C:\WINDOWS\inf\biini.inf C:\WINDOWS\system.sam C:\WINDOWS\system32\CSUninstall.exe C:\WINDOWS\system32\StopzillaBH0.dll F:\GIOCHI\Warcraft 3\FFF-Warcraft.3.Reign.of.Chaos_KEYGEN.zip[start.exe] F:\GIOCHI\Warcraft 3\start.exe Then reboot and post a fresh HJT log along; with any message regarding how your system is running.
  2. Download smitRem.exe©noahdfear and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Please download Ewido Security Suite, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu Launch ewido, there should now be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful") Close Ewido Security Suite If you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updates Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Now scan with HJT and place a checkmark next to the following items R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank F2 - REG:system.ini: Shell= Close all other windows and browsers and click FIX CHECKED Close HiJackThis. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Run Ewido: Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Reboot back into Windows scan your system with Ad-aware: Ad-aware SE - Download - Home Page If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now". Once the definitions have been updated: Reconfigure Ad-Aware for Full Scan as per the following instructions: Launch the program, and click on the Gear at the top of the start screen. Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)"Automatically save logfile" Automatically quarantine objects prior to removal" Safe Mode (always request confirmation) Prompt to update outdated confirmation) - Change to 7 days. Click the "Scanning" button (On the left side). Under Drives & Folders, select "Scan within Archives" Click "Click here to select Drives + folders" and select your installed hard drives. Under Memory & Registry, select all options. Click the "Advanced" button (On the left hand side). Under "Shell Integration", select "Move deleted files to Recycle Bin". Under "Log-file detail", select all options. Click on the "Defaults" button on the left. Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com. Click the "Tweak" button (Again, on the left hand side). Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:"Unload recognized processes during scanning." "Obtain command line of scanned processes" "Scan registry for all users instead of current user only" Under "Cleaning Engine", select the following:"Automatically try to unregister objects prior to deletion." "During removal, unload explorer and IE if necessary" "Let Windows remove files in use at next reboot." "Delete quarrantined objects after restoring" Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)" Click on "Proceed" to save these Preferences. Click on the "Scan Now" button on the left. Under "Select Scan Mode, be sure to select "Use Custom Scanning Options". Close all programs except ad-aware. Click on "Next" in the bottom right corner to start the scan. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish. Lastly run this online virus scan: ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button- Enter your Country - Enter your State/Province - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this) - Select either Home User or Company Click the big Scan Now button If/when you get a notice that Panda wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on Local Disks to start the scan When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop. Post the contents of the Panda scan report a new HijackThis Log smitfiles.txt Ewido Log in a reply to this thread.
  3. You are using an outdated version of HijackThis. Please download HijackThis version 1.99.1 from here: http://www.downloads.subratam.org/hijackthis.zip . You are also running HijackThis from the desktop; please make sure to unzip it to it's own, permanentfolder. (eg. C:\HijackStuff\HijackThis.exe or you could have a folder named HijackFixers on your desktop and put it in there.) Then please run HijackThis, click Scan and Save log, and post the new log here. I would be happy to take a look at it.
  4. If you re-read your original post You will notice that secure32 is mentioned once in an obscure title (at best) and then not again. NOWHERE do you say that C:\WINDOWS\SYSTEM32\Drivers\etc\hosts is the path to secure32 It just listed as the "Panda scan path"..the path to what your hosts file that is no longer there?..one of the 5 exploits you mention? Something else?? We do NOT read minds.. Sorry to have to inconvenience you to post a little more info to go on...Hopefully you can find and delete the secure32; if not post a reply and I'll get someone else to take over your thread.
  5. Do you have the copy of the Panda log?? Do you know WHERE Panda is seeing it?? There is ABSOUTLY NO sign of secure32 in any of the logs......Also do a search for secure32 make sure you are set to view hidden files and search in system folders/hidden files
  6. Had some issues and was unable to get on here yesterday..Will reply after work today.
  7. Nothing showing in the log.. The Panda link you posted is not valid...can you give details please. Also are you saying your hosts file is just gone? Can you not replace it?/ Do you have view hidden files enabled??..If something changed a property on hosts to system and/or Archive you may not see it otherwise. Please temporarily disable MSAS by doing the following: It may interfere with the fix. Open Microsoft AntiSpyware. Click on Options -> Settings. In the left pane, click on Real-time Protection. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended). Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended). After you uncheck these, click on the Save button and close Microsoft AntiSpyware. Restart your computer. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware Make sure the settings are changed back when we are done. Please click and download Silent Runners.* Save it to the desktop. *Double clicking the "Silent Runners" icon on your desktop to run it . *Now you will see a text file appear on the desktop - t' is NOT done yet, so let it run (it won't appear to be doing anything!) * After you receive the "All Done!" prompt, double-click on the new text file on the desktop and copy/ paste it here. *NOTE* If you receive any warning message about scripts, please choose to allow the script to run. Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml Run the program, accept statment>next>click> scan>next. If any items are detected have blacklite rename them except for "wbemtest.exe". Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE The tool will ask if you want to reboot (restart) choose yes. Log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log Also you show as having Ewido installed.. would you update and do a FULL scan in SAFEMODE and then post that; along with the Blacklight and SilentRunners logs. Shouldn't need a new HijackThis yet.
  8. Before we start this (LAST???) clean up operation would you search for C:\WINDOWS\system32\logl_h.exe and C:\WINDOWS\system32\l_h_32.exe and Email to me as you did last time. I DID get the mail thanks, forgot to mention it. Copy the following to Notepad and save as lastfix.reg Next click on the lastfix.reg file and merge into your registry. Run HijackThis using Scan Only, check the following: (I'm pretty sure you know what to check by now any way but.. ) O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O4 - HKCU\..\Run: [logl_h] C:\WINDOWS\system32\logl_h.exe O4 - HKCU\..\RunOnce: [logl_h] C:\WINDOWS\system32\logl_h.exe Make sure everything else is closed and click FIX CHECKED. Boot to safe mode and delete the following: C:\WINDOWS\system32\logl_h.exe C:\WINDOWS\system32\l_h_32.exe C:\Program Files\E2Give <<--- Entire Folder Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!) C:\Windows\Temp\ C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\ C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested. But you will have to manually log on to all internet sites the first time you visit them again. C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\ Empty your "Recycle Bin" There are always a couple of files that you will not be able to delete..this is normal and expected Reboot to Normal mode ....go ahead and browser for a few hours and see how it's running if you need to then post a new HijackThis log.....I'm hoping it will be your last one!!!
  9. Dim Def,Wshsell,FN,fso,Report,SysF,SS const HKEY_CLASSES_ROOT = &H80000000 Set fso = Wscript.CreateObject("Scripting.FilesystemObject") Set Wshshell = Wscript.CreateObject("Wscript.Shell") Wshshell.Run "regedit /e /a Report.txt" & " " & "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",, True Set Report = fso.OpenTextFile("Report.txt",8 , true) Report.WriteLine "-----------------" strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "*\shellex\ContextMenuHandlers" oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys For Each subkey In arrSubKeys On error Resume Next Err.Clear Def = Wshshell.RegRead ("HKCR\" & strKeyPath & "\" & subkey & "\") On Error Resume Next FN = Wshshell.RegRead("HKCR\CLSID\" & Def & "\InprocServer32\") If not FN Then FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\") End IF FN = WshShell.ExpandEnvironmentStrings(FN) Msg = Msg & vbcrlf & "Subkey --- " & subkey & vbcrlf & Def & vbcrlf & FN & vbcrlf Err.Clear Def = "" FN = "" Next Report.WriteLine "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers" Report.WriteLine Report.Write Msg '--------------------- Dim Mess Report.WriteLine Report.WriteLine "=====================" Report.WriteLine strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "Folder\shellex\ColumnHandlers" oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys For Each subkey In arrSubKeys On error Resume Next Err.Clear On Error Resume Next FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\") FN = WshShell.ExpandEnvironmentStrings(FN) Mess = Mess & vbcrlf & "Subkey --- " & subkey & vbcrlf & FN & vbcrlf Err.Clear FN = "" Next Report.WriteLine "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers" Report.WriteLine Report.Write Mess Report.Writeline Report.WriteLine "==============================" Dim SU ,s ,f,f1, C SU = Wshshell.SpecialFolders("AllUsersStartup") Report.WriteLine SU Set f = fso.getFolder(SU) Set fc = f.files For Each f1 in fc Set C = fso.GetFile(f1) s = s & C.name & vbcrlf Next Report.Writeline Report.Write s '----------------------------- Report.Writeline "==============================" SU = Wshshell.SpecialFolders("Startup") Report.WriteLine SU Set f = fso.getFolder(SU) Set fc = f.files For Each f1 in fc Set C = fso.GetFile(f1) s = s & C.name & vbcrlf Next Report.Writeline Report.Write s '----------------------------- Report.Writeline "==============================" dim Q, cpl, Sys ,Maker Sys = fso.GetSpecialFolder(1) Report.Writeline Sys & " cpl files" Report.Writeline set f = Fso.getFolder(Sys) set fc =f.files for each f1 in fc IF LCASE(Right(fso.GetFileName(f1),4)) = ".cpl" Then Q = f1.path Q = Replace (Q, "\", "\\") Set cpl = GetObject("winmgmts:root\cimv2").Get _ ("CIM_DataFile.Name=""" & Q & """") Maker = cpl.Manufacturer Q = Replace (Q, "\\", "\") On error resume next Report.write vbcrlf & f1.name & Space(30 - len(f1.name)) & Maker Err.Clear End IF Next Report.close WshShell.run "Notepad Report.txt" Set fso = Nothing Set Maker = Nothing Set Report = Nothing Set cpl = Nothing Set f = Nothing Set fc = Nothing Set C = Nothing Set oReg = Nothing Set Wshshell = Nothing Also would you please copy the above into notepad as Save as TrackQoo.vbs (make sure to set the save as TYPE to ALL FILES) After the Ewido scan and reboot; please run the TrackQoo.vbs. You should just have to double click it; (BUT if it just opens in Notepad instead; Rt. click and choose run). Then post this log along with a new HijackThis
  10. yes would you please do the full scan and in safe mode. Should take quite as long that way either
  11. GREAT!!! That apropos HAD to be what's stopping our fixes. It has been brought to my attention that you are running 2 Anti-Virus programs. This is NOT acceptable, while many Online security type tool DO work in harmony; Anti-Virus programs are NOT among them, they will fight for 'control' of your system, causing poor performance and errors. Please choose to keep either AVG or Trend and uninstall the other. Now that we have killed the root kit would you please go back and Follow the step out lined in THIS post. UPON close inspection the links DON"T seem to take you to the post..just the page the are on...This post is the one with the DSR fix and KillQoo.reg Substituting the following for the hijackThis log in the above post. ( actually there are very similar, a couple of additions though. Open HijackThis and place a check next to the following: O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ywiwkq.exe reg_run O4 - HKCU\..\Run: [Eaxidur] C:\WINDOWS\system32\??ool32.exe O4 - HKCU\..\Run: [logl_h] C:\WINDOWS\system32\logl_h.exe O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt ndrv O4 - HKCU\..\RunOnce: [logl_h] C:\WINDOWS\system32\logl_h.exe O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - <a href="http://www.nintendowifi.com/troubleshooting/usbaptest.cab" target="_blank">http://www.nintendowifi.com/troubleshooting/usbaptest.cab</a> O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Reboot and run AdAware EXACTLY as described HERE The previous post with AdAware and the VX2 Plug in One more reboot and post a fresh HijackThis log that SHOULD be MUCH cleaner now.
  12. Sorry I took so long, I had someone else review this because we are having such a hard time getting rid of a few of those entries. You will need to print out these instructions for reference, since you will have to restart your computer during the fix. Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site:http://www.pchell.com/support/safemode.shtml This fix MUST be ran in safe mode Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, please reboot back into normal mode. Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop. dir C:\WINDOWS\system32\??ool32.exe /a h > files.txt notepad files.txt Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here. Also do a search for pxhx.exe; it's more than likely in C:\windows\system32 if it exists. if found Zip a copy, password protect the zip and Email it to the address below. If you are not sure how to do the above try this way. You can not or don't need to password protect the following method..just if you ZIP it. Please download the Suspicious File Packer from here: http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of bad files into the Suspicious File Packer window: C:\WINDOWS\system32\pxhx.exe Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at: jwbsubmit AT aim DOT com Please include a link to this log, the password IF you zipped it. Thank you! Post a new HijackThis log, the log.txt file in the aproposfix folder the results of FindFile.bat in your next reply.
  13. Sorry I've had connection problems and have been unable to get online for about 4 hrs... Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix. Download DSRFIX from HERE onto your Desktop. Unzip and EXTRACT the files to your Desktop. The program creates and names the new folder to house the files. DO NOT RUN IT YET Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link. Download Cleanup from Here (Alternate site if the above is not working Go Here) A window will open and choose SAVE, then DESKTOP as the destination. On your Desktop, click on Cleanup40.exe icon. Then, click RUN and place a checkmark beside "I Agree" Then click NEXT followed by START and OK. A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality. Click OK DO NOT RUN IT YET CLOSE INTERNET EXPLORER, if it is open Hit Ctrl+Alt+Del and open process manager. Hilight WinSync in the list but select "End Process Tree" instead of just "End Process Then End Process on any of the following that are there:C:\Program Files\apsi\wtta.exe C:\WINDOWS\system32\logl_h.exe C:\WINDOWS\system32\??ool32.exe C:\WINDOWS\system32\logl_h.exe C:\WINDOWS\system32\sms_msn.exe Open the folder dsrfix Double click on the dsrfix batch file( the one with the little gear in it ) Once dsrfix has completed it will close on its own Please open Notepad, and copy/paste the code in the box below into a new text file. Click on File>Save AS>Save it as KillQoo.reg (Filetype (bottom file) MUST be set to "All Files"..NOT text) and save it on your Desktop. Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete" C:\Program Files\apsi\wtta.exe C:\WINDOWS\system32\l_h_32.exe C:\WINDOWS\system32\l_h_32.dll C:\WINDOWS\system32\qpapv.dat C:\WINDOWS\system32\l_h_32.dll C:\WINDOWS\system32\??ool32.exe As you Paste each entry into Killbox,place a tick by these Selections: "Delete on Reboot""Unregister .dll before Deleting" Click the Red Circle with the White X in the Middle to Delete! Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived. This time place a tick by any of these selections available "Standard File Kill" "End Explorer Shell while Killing File" "Unregister .dll before Deleting" Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry! Please re-open HiJackThis using Scan Only. Check the boxes next to all the entries listed below. O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\system32\ngsh35.dll (file missing) O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsa4A.dllO2 - BHO: (no name) - {DC181A4C-AEA9-AE2D-89DD-A728E1543AC1} - C:\WINDOWS\system32\qrkgs.dllO4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exeO4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -uO4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ywiwkq.exe reg_runO4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazbO4 - HKCU\..\Run: [logl_h] C:\WINDOWS\system32\logl_h.exeO4 - HKCU\..\Run: [Eaxidur] C:\WINDOWS\system32\??ool32.exeO4 - HKCU\..\RunOnce: [logl_h] C:\WINDOWS\system32\logl_h.exe O15 - Trusted Zone: *.elitemediagroup.netO15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cabNow close all windows other than HiJackThis, then click Fix Checked. Close HijackThis; now while still in safe moe run an Ewido scan (put DON"T post log unless I ask for it later) Restart back in Normal Mode and Post a fresh HijackThis log! Run Cleanup Click on the "Cleanup" button and let it run. Once its done, close the program. REBOOT your system.Please restart HJT and post back a fresh HJT log for review.
  14. I'll get you a reply posted soon,, I just got home from work so after I eat I'll work you up a reply..Can you answer a question while you are waiting...when you ran the first part of the AdAware speech in above post....the VX2 plugin/addon; do you recall what if any type of msg you got? It just doesn't seem to have done what I expected and was wondering if you got an error or something??..There are other means to do the same I was just curious
  15. BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference. First, download Ewido Security Suite. Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well. Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware. Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal. You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again. When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware. For a final cleanup, please install and run Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main ewido screen, click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
  • Create New...