Tech Support Forum - View Single Post - HJT

sUBs · 08-19-2005, 01:29 AM

Hello and Welcome to TSF!

I just want to warn you up front that you've multiple infections here. So, please be prepared for this to take a couple of rounds. There's a fair bit of work to do & I require your assistance & patience.

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install.

KillBox v2.0.0.175.zip

Nailfix.exe

Process Explorer

LQFix.zip

I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/
Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido.

WinPfind.zip

TrackQoo.zip

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.
Do not skip any parts of the fix unless it's necessary. It will affect the effeciency of the fix

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HijackThis & locate an entry that looks similar to this...

C:\WINDOWS\system32\ccyvkyd.exe r

the filename might be different but you can identify it by the following traits:

* it resides in the system32 folder
* it has the lone alphabet "r" at the end.

take note of the filename & location.

run Process Explorer

from the list of processes, locate the file you've just identified.

right-click the file & select Suspend

leave Process Explorer running with the process suspended

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy

name of the file you've just Suspended
C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\lplsds.exe
C:\WINDOWS\cmekyya.EXE
C:\WINDOWS\System32\syscpy.exe
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\ktvuog.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\71636599.exe
C:\WINDOWS\System32\15746706.exe
C:\WINDOWS\system32\ccyvkyd.exe
C:\PROGRA~1\INTERN~2\iw.exe min
c:\windows\SvcProc.exe
C:\WINDOWS\wziznxp.exe

Launch KillBox.exe

Go to the File menu, and choose Paste from Clipboard
Click the dropdown-arrow next to the Full Path of File to Delete field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
- Delete on Reboot
- Unregister dlll Before deleting * if it's not grayed out
Click the RED X button.
Click Yes at the Delete on Reboot prompt.
Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

WildTangent
VBouncer / Virtual Bouncer
Clear Search
Search Upgrader
Power Scan
CMAPP
Altnet
Kazaa
Internet Washer Pro
WhistleSoftware

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Nailfix.exe.
Follow the instructions outlined by the setup installer.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Double click on LQFix.zip & Run LQFix.bat

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Windows Overlay Components
Double-click on it to open the Properties dialog.
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lplsds.exe reg_run
O4 - HKLM\..\Run: [cmekyya] C:\WINDOWS\cmekyya.EXE
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [Syscpy] C:\WINDOWS\System32\syscpy.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [blakowlqcapsb] C:\WINDOWS\System32\ktvuog.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [71636599.exe] C:\WINDOWS\System32\71636599.exe
O4 - HKLM\..\Run: [15746706.exe] C:\WINDOWS\System32\15746706.exe
O4 - HKLM\..\Run: [cbrcwrp] C:\WINDOWS\system32\ccyvkyd.exe r
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr. exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\wziznxp.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Enable - Show hidden files and folder
Disable - Hide file extensions for known types
Disable - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folder(s), if present:

C:\Program Files\Internet Washer
C:\Program Files\Common Files\slmss\
C:\Program Files\WhistleSoftware\
C:\Program Files\CMAPP\
c:\program files\altnet\
C:\Program Files\ClearSearch\
C:\WINDOWS\System32\P2P Networking\
C:\Program Files\Power Scan\
C:\Program Files\Common files\SearchUpgrader
C:\Program Files\VBouncer\
C:\Program Files\WildTangent

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

1. Click Scanner
2. Click Complete System Scan to begin scanning.
3. Click OK when prompted to clean files
4. With the first file it prompts to clean, select the option: "Perform action on all infections"
5.Choose clean and click OK.
6. Once finished, click the Save report button
7. Save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop - tmas-web-scan.exe
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click Start Scan
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click Clean Threats Now.
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

WinPfind

TrackQoo1.vbs

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

08-19-2005, 01:29 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Hello and Welcome to TSF! I just want to warn you up front that you've multiple infections here. So, please be prepared for this to take a couple of rounds. There's a fair bit of work to do & I require your assistance & patience. Please subscribe to this thread to get immediate notification of fixes as soon as they are posted. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them untill instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp!.exe - Install. KillBox v2.0.0.175.zip Nailfix.exe Process Explorer LQFix.zip I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/ Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido. WinPfind.zip TrackQoo.zip 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. Do not skip any parts of the fix unless it's necessary. It will affect the effeciency of the fix = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan with HijackThis & locate an entry that looks similar to this... C:\WINDOWS\system32\ccyvkyd.exe r the filename might be different but you can identify it by the following traits: * it resides in the system32 folder * it has the lone alphabet "r" at the end. take note of the filename & location. run Process Explorer from the list of processes, locate the file you've just identified. right-click the file & select Suspend leave Process Explorer running with the process suspended = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Copy the filename/s listed below. Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy name of the file you've just Suspended C:\WINDOWS\Nail.exe C:\WINDOWS\system32\exp.exe C:\WINDOWS\system32\lplsds.exe C:\WINDOWS\cmekyya.EXE C:\WINDOWS\System32\syscpy.exe C:\WINDOWS\System32\stcloader.exe C:\WINDOWS\System32\SahAgent.exe C:\WINDOWS\System32\ktvuog.exe C:\WINDOWS\Belt.exe C:\WINDOWS\mwsvm.exe C:\WINDOWS\System32\71636599.exe C:\WINDOWS\System32\15746706.exe C:\WINDOWS\system32\ccyvkyd.exe C:\PROGRA~1\INTERN~2\iw.exe min c:\windows\SvcProc.exe C:\WINDOWS\wziznxp.exe Launch KillBox.exe Go to the File menu, and choose Paste from Clipboard Click the dropdown-arrow next to the Full Path of File to Delete field. Verify that the filenames you pasted are found in there. Select/tick the following: Delete on Reboot End Explorer Shell While Killing File Unregister dlll Before deleting * if it's not grayed out Click the RED X button. Click Yes at the Delete on Reboot prompt. Click Yes at the 'Pending Operations prompt'. * If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually . * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Next, please reboot your computer in SafeMode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Uninstall the following programs, if present, using Control Panel->Add/Remove Programs: WildTangent VBouncer / Virtual Bouncer Clear Search Search Upgrader Power Scan CMAPP Altnet Kazaa Internet Washer Pro WhistleSoftware = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Nailfix.exe. Follow the instructions outlined by the setup installer. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Double click on LQFix.zip & Run LQFix.bat = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Windows Overlay Components Double-click on it to open the Properties dialog. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS Run a scan with HiJackThis & select/tick the following & click "Fix checked" : F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lplsds.exe reg_run O4 - HKLM\..\Run: [cmekyya] C:\WINDOWS\cmekyya.EXE O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE O4 - HKLM\..\Run: [Syscpy] C:\WINDOWS\System32\syscpy.exe O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe O4 - HKLM\..\Run: [blakowlqcapsb] C:\WINDOWS\System32\ktvuog.exe O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [71636599.exe] C:\WINDOWS\System32\71636599.exe O4 - HKLM\..\Run: [15746706.exe] C:\WINDOWS\System32\15746706.exe O4 - HKLM\..\Run: [cbrcwrp] C:\WINDOWS\system32\ccyvkyd.exe r O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe" O4 - HKCU\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr. exe O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing) O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\wziznxp.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Enable - Show hidden files and folder Disable - Hide file extensions for known types Disable - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folder(s), if present: C:\Program Files\Internet Washer C:\Program Files\Common Files\slmss\ C:\Program Files\WhistleSoftware\ C:\Program Files\CMAPP\ c:\program files\altnet\ C:\Program Files\ClearSearch\ C:\WINDOWS\System32\P2P Networking\ C:\Program Files\Power Scan\ C:\Program Files\Common files\SearchUpgrader C:\Program Files\VBouncer\ C:\Program Files\WildTangent = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido with it's updated definitions:(...it's important that all windows must be closed) 1. Click Scanner 2. Click Complete System Scan to begin scanning. 3. Click OK when prompted to clean files 4. With the first file it prompts to clean, select the option: "Perform action on all infections" 5.Choose clean and click OK. 6. Once finished, click the Save report button 7. Save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Double-click WinPFind.zip & extract the contents to a new folder at Drive C. 1. From within that folder, double click WinPFind.exe 2. Click Start Scan 3. Once the Scan is complete, it will create a report in a text file 4. Go to the WinPFind folder & locate WinPFind.txt 5. Post the results in your next reply! This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop - tmas-web-scan.exe It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click Start Scan After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click Clean Threats Now. Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply. * If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless! In your next post, please include fresh logs from: HiJackThis log Online Scan Ewido WinPfind TrackQoo1.vbs Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 08-19-2005 at 01:32 AM.