JSntgRvr

Hi, marz Welcome. Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Yes. Other than Malwarebutes, all other tools should be removed. The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections. AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. SpywareBlaster - Great prevention tool to keep bad files from installing on your system. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes. Best wishes!

Hi, Lechnek Can you download Combofix and run it while able to boot with the Unix CD? I am also unfamiliar with Unix. There is a Rescue CD download from AVIRA that will scan a system that is unable to boot. The Avira AntiVir Rescue System is a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. http://dl.antivir.de/down/vdf/rescuecd/rescuecd.exe Once you

Hi, atwitsend99 The file was not renamed while being expanded. Lets do some housekeeping. Copy the entire contents of the Quote Box below to Notepad. Name the file as RenFix.bat Change the Save as Type to All Files and Save it on the desktop Once saved, double click on the RenFix.bat file. It will self destroyed once ran. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix Click START then RUN Now copy and paste "c:\documents and settings\Liz\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there. Create a Restore point (If the above process fails to do so): Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. In the System Restore dialog box, click Create a restore point, and then click Next. Type a description for your restore point, such as "After Cleanup", then click Create. How is the computer doing?

Hi, atwitsend99 I wasn't expecting expand to attempt to write in the CD_ROM. Try these commands: Expand O:\i386\Proquota.ex_ C:\Windows\System32 Expand O:\i386\Proquota.ex_ C:\Windows\System32\dllcache Exit Remove Comodo and AVG prior to installing AVAST.

Hi, atwitsend99 Here is the definition: PROQUOTA.EXE (Profile Quota Manager). An application for limiting the size of user profiles. Is not a critical component but it shouldn't be disabled. There is no copies of the file in the computer. You may have to extract a copy from the XP CD. Here is how. Insert the XP Installation CD and cancel any autorun. Note the letter assigned to your CD_ROM. Open a Command prompt (Start -> Run, type CMD abd click OK) At the Command prompt copy and paste the following commands and press Enter after each line: Expand -r X:\i386\Proquota.ex_ C:\Windows\System32\Proquota.exe Expand -r X:\i386\Proquota.ex_ C:\Windows\System32\dllcache\Proquota.exe Exit Note: Replace the X with the letter assigned to your CD_ROM Here are other ways: http://support.microsoft.com/kb/888017 How is the computer doing?

Hi, BucNut Congratulations. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix Click START then RUN Now copy and paste "c:\documents and settings\Gary McClellan\Desktop\ComboFix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there. Once the process is completed, remove any other tool downloaded such as, Avenger and tools I requested. Make sure the following folders are removed: C:\Combofix C:\Combo-fix C:\Qoobox Create a Restore point: Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. In the System Restore dialog box, click Create a restore point, and then click Next. Type a description for your restore point, such as "After Cleanup", then click Create. The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections. AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. SpywareBlaster - Great prevention tool to keep bad files from installing on your system. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes. Best wishes!

Hi, Lechnek Please read and follow all these instructions very carefully. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the "C:\Combo-Fix.txt" . **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Hi, atwitsend99 Lets attempt to find this file. Dowload the enclosed folder. Save and extract its contents t the desktop. Once extracted open the folder and click on the RunMe.bat. Post the resulting report.

Which files? Copy the entire contents of the Quote Box below to Notepad. Name the file as CFScript.txt Change the Save as Type to All Files and Save it on the desktop Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report. Please run the F-Secure Online Scanner Note: You must use Internet Explorer for this scan! Accept the License Agreement. Once the ActiveX installs click Full System Scan Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and copy and paste the entire report in your next reply.

Hi, BucNut To confirm if the file was copied, click on the RunMe.bat file within the FindWinlogon folder and post the report. How is the computer doing?

Ahhh! Remove Combofix from your desktop and download a fresh copy from Here or Here to your Desktop. Copy the entire contents of the Quote Box below to Notepad. Name the file as CFScript.txt Change the Save as Type to All Files and Save it on the desktop Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

The dropper usually comes bundled with other software, or you are directed to click a link that will drop the the initial install file. AVG wont protect you. Malwarebytes (Full version) and AVAST will provide you a better protection. Take in consideration that there is no defense against new variants. You failed to post the report for step 5. Were you able to run Combofix?

Hi, BucNut Please follow these steps: Step 1 Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line: Copy C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\ Exit Step 2 1. Please download The Avenger by Swandog46 to your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: [*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) [*]On reboot, it will briefly open a black command window on your desktop, this is normal. [*]After the restart, it creates a log file that should open with the results of Avenger

Hi, atwitsend99 Please follow these steps: Step 1 Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line: Copy C:\WINDOWS\system32\dllcache\eventlog.dll C:\ Exit Step 2 Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply. "C:\Documents and Settings\Liz\Desktop\Win32kDiag.exe" -f -r Step 3 1. Please download The Avenger by Swandog46 to your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Begin copying here: Files to move: C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: [*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) [*]On reboot, it will briefly open a black command window on your desktop, this is normal. [*]After the restart, it creates a log file that should open with the results of Avenger

Hi, Lechnek Welcome. Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. Note: Allow enough time for this application to finish.

Hi, BucNut F-Secure is detecting Winlogon.exe as patched. Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, click on the RunMe.bat file and post back the resulting report.

Hi, atwitsend99 Welcome. Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. Note: Allow enough time for this application to finish.

Lets check for remnants: Please run the F-Secure Online Scanner Note: You must use Internet Explorer for this scan! Accept the License Agreement. Once the ActiveX installs click Full System Scan Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and copy and paste the entire report in your next reply.

Yes, please.

Hi, BucNut Lets try to get you back on line: Enter your Control Panel and double-click on Network Connections Then right click on your Default Connection Usually Local Area Connection for Cable and DSL, or AOL Connection. [*]Left click on Properties [*]Double-Click on the Internet Protocol (TCP/IP) item [*]Select the radio dial that says Obtain DNS Servers Automatically [*]Press OK twice to get out of the properties screen Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line: netsh int ip reset C:\Resetlog.txt netsh winsock reset catalog ipconfig /flushdns (The space between g and / is needed) Exit Restart the computer. Attempt to get on line.

OK!

Hi, BucNut That looks much better. Please read and follow all these instructions very carefully. Please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. ===================================================================== Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop** Please, never rename Combofix unless instructed. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combofix.exe & follow the prompts. [*]If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply. [*]Install the Recovery Console upon request. [*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Hi, Colin Klayer Copy the entire contents of the Quote Box below to Notepad. Name the file as CFScript.txt Change the Save as Type to All Files and Save it on the desktop Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report. Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. Please run the F-Secure Online Scanner Note: You must use Internet Explorer for this scan! Accept the License Agreement. Once the ActiveX installs click Full System Scan Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and copy and paste the entire report in your next reply.

Hi, Colin Klayer Please follow these steps: Step 1 Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. Allow enough time for this application to finish. When it's finished, there will be a log called Win32kDiag.txt on your desktop. It should contain the word finished at the end of the report. Please open it with notepad and post the contents here in your next reply. "C:\Documents and Settings\Colin\Desktop\Win32kDiag.exe" -f -r Step 2 Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tab Set to "Always ask me where to Save the files". [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the "C:\Combo-Fix.txt" . **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.