Questolo - Pls. help - Possible virus and spyware - coolpics.net - IE

[sohnir]

Hi Questolo-

It appears that there is a virus or a spyware infecting my computer. I saw IE loading coolpics.net from an IM message...since then my IE homepage has changed and I cannot change the homepage. I cleaned up the registry entries for coolpics from HIJACK log; but the IE still points to the coolpics on the reboot. Please help. I'm uploading the hijack log below. I'd also cleaned up the dell4me-MyWay registry entries while cleaning up coolpics...I hope this has not adversely affected my IE...Now whenever I open my IE I have several different porn sites getting opened...Some other sites that gets opened are quicknewsinfo, mortgage sites, etc...Multiple browser windows opening automatically...

Also, noticed that there is a file names YWorm.exe and svchost.ext - both modified at the time I think the computer was infected. I'm uploading the snapshot of the Windows Explorer which shows the time and size of the change of those exes. Also, I noticed that the time of svchost.exe has also changed...Isn't this a system file? How will this affect my computer?

Thanks very much in advance. Here is the hijack log
####################################
Logfile of HijackThis v1.99.1
Scan saved at 8:32:16 PM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system\svhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\VIPULC~1.PAT\LOCALS~1\Temp\IEXPLORE.EXE
C:\DOCUME~1\VIPULC~1.PAT\LOCALS~1\Temp\EXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TextPad 4\TextPad.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\RealVNC\VNC4\vncviewer.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\DOCUME~1\VIPULC~1.PAT\LOCALS~1\Temp\IEXPLORE.EXE
C:\DOCUME~1\VIPULC~1.PAT\LOCALS~1\Temp\EXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\DOCUME~1\VIPULC~1.PAT\LOCALS~1\Temp\IEXPLORE.EXE
C:\DOCUME~1\VIPULC~1.PAT\LOCALS~1\Temp\EXPLORE.EXE
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\YMworm.exe
C:\Documents and Settings\Vipul C. Patel\My Documents\Tools+Software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quicknews.info
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system\svhost.exe
O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oracle1.lifedata.ldl:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{07D51B02-62D7-4899-8257-21007AED4647}: Domain = iss.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{07D51B02-62D7-4899-8257-21007AED4647}: NameServer = 209.134.169.85,209.134.161.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C94D276-D18B-4E37-B99C-DABDC16D715E}: NameServer = 68.87.68.162,68.87.74.162
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = iss.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{07D51B02-62D7-4899-8257-21007AED4647}: Domain = iss.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{07D51B02-62D7-4899-8257-21007AED4647}: NameServer = 209.134.169.85,209.134.161.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = iss.local
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleOra920_DB_homeAgent - Oracle Corporation - C:\oracle\product\9.2.0\bin\agntsrvc.exe
O23 - Service: OracleOra920_DB_homeClientCache - Unknown owner - C:\oracle\product\9.2.0\BIN\ONRSD.EXE
O23 - Service: OracleOra920_DB_homeHTTPServer - Unknown owner - C:\oracle\product\9.2.0\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOra920_DB_homeManagementServer - Unknown owner - C:\oracle\product\9.2.0\bin\OMSNTsrv.exe
O23 - Service: OracleOra920_DB_homePagingServer - Unknown owner - C:\oracle\product\9.2.0/bin/pagntsrv.exe
O23 - Service: OracleOra920_DB_homeSNMPPeerEncapsulator - Unknown owner - C:\oracle\product\9.2.0\BIN\ENCSVC.EXE
O23 - Service: OracleOra920_DB_homeSNMPPeerMasterAgent - Unknown owner - C:\oracle\product\9.2.0\BIN\AGNTSVC.EXE
O23 - Service: OracleOra920_DB_homeTNSListener - Unknown owner - C:\oracle\product\9.2.0\BIN\TNSLSNR.exe
O23 - Service: OracleServiceSAI - Oracle Corporation - c:\oracle\product\9.2.0\bin\ORACLE.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
###########################################

[guestolo]

I noticed that the time of svchost.exe has also changed...Isn't this a system file?

The Legit svchost.exe resides in the System32 folder

Download a few small tools

Download [color=\"red\"]SDFix[/color] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
We'll need this later

Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop
We'll need this later

Download [color=\"#FF0000\"]The Avenger.zip[/color] by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract avenger.exe to your desktop

Print the rest of these instructions, it's important, as much of the instructions will be done without any browser windows open
LOG OFF any other users on the computer except for yourself

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
Make sure you include "files to delete:"
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\system\svhost.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system\YMworm.exe
C:\WINDOWS\system\svchost32.exe
C:\Documents and Settings\Vipul C. Patel\Local Settings\Temp\IEXPLORE.EXE
C:\Documents and Settings\Vipul C. Patel\Local Settings\Temp\EXPLORE.EXE

Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Task Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Yahoo Messenger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | svchost

Programs to launch on reboot:
C:\Documents and Settings\Vipul C. Patel\My Documents\Tools+Software\hijackthis.exe[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
OK the prompt

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

After the restart, Hijackthis should open
When it does
Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quicknews.info
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Click FIX CHECKED
OK the prompt and exit Hijackthis
Windows will finish loading
After it fully loads

Remain offline, don't open any browser windows
[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.

• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

If you use Firefox browser

      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  

Keep your browser closed
Access Internet options in Windows Control Panel
Under the Program tab>>Reset Web Settings
Under the General tab>>.Reset Home page to preferred

Update Java

• Download the latest version of  Java Runtime Environment (JRE) 6.
  
• Scroll down to where it says "Java Runtime Enviroinment (JRE) 6, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Check the box that says: "Accept License Agreement[/i]".
  
• The page will refresh.
• Click on the link to download Windows Offline Installation, Multi-language  and save it to your desktop (12.56 MB).
  

Double click on the Installer, follow the prompts
After Java is installed, go ahead and delete the installer from desktop

Come back here and post All the following please
1. Post a fresh hijackthis log
2. Post the log from SDFix>>Report.txt
3. Post the log from Avenger>>C:\Avenger.txt

[sohnir]

Hi Questolo-
I tried several times to reply to this post..but was not able..every time the server complained that the page is not available...Is there any problem with the site?
Thanks.

[guestolo]

Since it's been way too long since your last reply, can you post a fresh hijackthis log and let's see where we stand now