Glad to hear it's getting better....You have more work to do.....so, stick with me until we're done, please.
I really would like to view the AVG log.
Make sure you saved it as a text file....if you did not save it separately as a text file, it should be located here:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports
Attach it in your next reply, or split it into several posts, but I do want to see it.
-------------------------------------------------------------------------
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.
---------------------------------------------------------------------------------------------
Copy and paste the following into Notepad (don't forget to copy and paste
REGEDIT4):
Quote:
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=-
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"=-
|
Save the file as "
delete.reg". Make sure to save it with the quotes. It should look like this:
Close Notepad.
Double click on the
delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.
---------------------------------------------------------------------------------------------
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.
Please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\
report.txt ), at the end of this fix.
**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.
----------------------------------------------------------------------------------------------------------
Run OTMoveIt again
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
c:\temp\salm.log
c:\windows\system32\sdknh32.exe
C:\WINDOWS\sysxr32.dll
c:\windows\inf\biini.inf
C:\contacts.pif
C:\gendel32.exe
C:\Program Files\WAV to MP3 Encoder\NH20040517.4a.EE.exe
C:\QooBox
- Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose
Yes.
Please post the log from OTMoveIt, located here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
-------------------------------------------------------------------------
Next.....
Run ADS Spy
- Open HijackThis
- Click on the button " Open the Misc Tools section"
- Click the button labelled "Open ADSSpy"
- Make sure "Quick Scan (Windows based folders only)" is unchecked.
- Make sure "Ignore Safe System Info Streams" is checked.
- Click the "Scan" button.
- When it has finished scanning, checkmark/tick all that entries that it found.
- Click the "remove selected" button, then Click "Yes" at the following prompt.
- Click the "Scan" button once again.
- Click the "Save Log" button once this scan is complete. If nothing is found in this second run, no log will be produced.
Please post that log here for review.
-------------------------------------------------------------------------
Next......
Please do this:
Zip up
c:\_OTMoveIt\MovedFiles (right click, send to>compressed (zipped) folder) and submit it here:
Please submit it to this site
http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message. You should receive notice right away that the file was successfully submitted.
-------------------------------------------------------------------------
Next....
* Download
Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
-------------------------------------------------------------------------
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:- Download the latest version of Java Runtime Environment (JRE) 6 u1.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.
- After the install is complete, go back into the Control Panel and double-click the Java Icon.
- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
- Downloaded Applications
- Other Files
- Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Java Control Panel.
---------------------------------------------------------------------------------------------
Please run Deckard's System Scanner once again, this time using these instructions:
Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config
Click on "
Check All"
Click Scan!
When finished, it shall produce two logs for you. Post those logs in your next reply.
---------------------------------------------------------------------------------------------
So, please return with logs from:
AVG AS (attached, or as many posts as it takes)
FixWareout (C:\Fixwareout\report.txt
OTMoveIt
ADSSpy (if log was produced after second run)
DrWeb (DrWeb.csv)
DSS (main.txt and extra.txt)