Trojan Horse help

Gekko · 01-01-2010 9:46pm #1

Looks like I've got a major Trojan Horse problem.

Today I've run AVG and Malwarebytes Anti-Malware which found the following:

TrojanHorse Sheur2
TrojanHorse Generic12

Spybot Search and Destroy has just found the following:
Win32.TDSS.rtk
Microsoft.Windows.AppFirewallBypass
Fraud.Sysguard

These problems it says it has solved and immunized.

But I'm guessing I need to do a more complex analysis and fix.

Looking at my broadband connection, my laptop seems to be downloading stuff in the background which is worrying.

I think I may have logged into my bank the other day when it may have initially been infected, so I plan to call the bank asap and warn them my details may have been compromised.

Any help much appreciated....

I will call a computer repair technician who recently helped fix and cleanup my Mum's PC on Monday if it looks too complicated for me to fix.

ActorSeeksJob · 01-01-2010 11:19pm

hi

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Gekko · 02-01-2010 1:27am

Big thanks to you ActorSeeksJob....here's the log.

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3319.2797 [GMT 0:00]
Running from: c:\documents and settings\AdminUser\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\akoho.reg
c:\documents and settings\All Users\Documents\boso.reg
c:\documents and settings\All Users\Documents\liwulycag.vbs
c:\documents and settings\AdminUser\Application Data\iniasd.txt
c:\documents and settings\ AdminUser\Application Data\inst.exe
c:\documents and settings\ AdminUser\Local Settings\Temporary Internet Files\akocuxuf.dat
c:\documents and settings\ AdminUser\Local Settings\Temporary Internet Files\arita.bat
c:\documents and settings\ AdminUser\Local Settings\Temporary Internet Files\asonyh.sys
c:\documents and settings\ AdminUser\Local Settings\Temporary Internet Files\cecozeguz.inf
c:\documents and settings\ AdminUser\Local Settings\Temporary Internet Files\hegovaw.inf
c:\documents and settings\ AdminUser\Local Settings\Temporary Internet Files\ynaq.dl
c:\windows\ecopoce._sy
c:\windows\etusudexev._sy
c:\windows\system32\psqlpwd.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 23:44 . 2010-01-01 23:50

d

w- c:\program files\SpywareBlaster
2010-01-01 23:42 . 2010-01-01 23:43

d

w- C:\$AVG
2010-01-01 23:42 . 2010-01-01 23:42 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-01 23:42 . 2010-01-01 23:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-01 23:42 . 2010-01-01 23:42 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-01 23:42 . 2010-01-01 23:42 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-01 23:42 . 2010-01-01 23:42

d

w- c:\windows\system32\drivers\Avg
2010-01-01 23:42 . 2010-01-01 23:42

d

w- c:\documents and settings\All Users\Application Data\avg9
2010-01-01 20:56 . 2010-01-01 22:00

d

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-01 20:56 . 2010-01-01 21:01

d

w- c:\program files\Spybot - Search & Destroy
2010-01-01 20:51 . 2010-01-01 22:14

d

w- C:\ERDNT
2010-01-01 20:19 . 2010-01-01 20:31

d

w- c:\documents and settings\AdminUser\Local Settings\Application Data\Promosoft Corporation
2010-01-01 20:19 . 2010-01-01 20:31

d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-31 05:56 . 2010-01-01 21:35

d

w- c:\documents and settings\AdminUser\Local Settings\Application Data\muxdmt
2009-12-31 05:39 . 2009-12-31 05:39 144 ----a-w- C:\MsFrameNet41.dat
2009-12-31 05:38 . 2010-01-02 01:07 773120 ----a-w- c:\windows\system32\drivers\leqlg.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 23:42 . 2010-01-01 23:46 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-01 23:42 . 2010-01-01 23:46 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-01-01 23:42 . 2010-01-01 23:46 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-01-01 23:42 . 2010-01-01 23:46 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2010-01-01 23:42 . 2010-01-01 23:46 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-01-01 23:42 . 2010-01-01 23:46 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-01-01 23:42 . 2009-03-24 01:36

d

w- c:\program files\AVG
2010-01-01 20:11 . 2009-04-10 00:36

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:40 . 2009-10-05 00:17 5061520 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 14:55 . 2009-04-10 00:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 14:54 . 2009-04-10 00:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 06:59 . 2008-04-23 13:34

d

w- c:\documents and settings\AdminUser\Application Data\Skype
2009-12-02 23:21 . 2009-12-02 23:21

d

w- c:\documents and settings\AdminUser\Application Data\vlc
2009-11-21 18:34 . 2009-11-21 18:34

d

w- c:\program files\VideoLAN
2009-11-21 18:33 . 2009-11-21 18:33

d

w- c:\program files\Codec Pack - All In 1
2009-11-21 18:31 . 2009-11-21 18:33 737280 ----a-w- c:\windows\iun6002.exe
2009-11-21 16:55 . 2007-08-03 21:28

d

w- c:\documents and settings\AdminUser\Application Data\PC Suite
2009-11-21 16:55 . 2009-11-21 16:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-11-21 16:54 . 2009-11-21 16:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-11-21 04:00 . 2009-01-10 06:59

d

w- c:\program files\Vuze
2009-11-19 18:30 . 2009-10-15 16:48

d

w- c:\documents and settings\AdminUser\Application Data\WebEx
2009-10-29 07:46 . 2006-03-21 09:38 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-03-21 09:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-03-21 09:38 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-03-21 09:38 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-03-21 09:38 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 15:35 . 2009-10-13 15:35 95232 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-10-13 15:35 . 2009-10-13 15:35 8192 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-10-13 15:35 . 2009-10-13 15:35 61440 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-10-13 15:35 . 2009-10-13 15:35 10240 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-10-13 15:34 . 2009-10-13 15:35 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng.exe
2009-10-13 10:30 . 2006-03-21 09:38 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-03-21 09:38 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-03-21 09:38 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-30 02:36 . 2009-09-30 02:36 15922 -c--a-w- c:\program files\Common Files\binogos._dl
2009-09-30 02:19 . 2009-09-30 02:19 12205 -c--a-w- c:\program files\Common Files\ujibiqoky.bin
2009-09-30 02:19 . 2009-09-30 02:19 10069 -c--a-w- c:\program files\Common Files\numi.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-01 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-01 23:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-02-08 05:53 61440 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^AdminUser^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\AdminUser\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-02-12 20:35 21899560 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-20 01:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [21/03/2006 12:57 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/01/2010 23:42 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/01/2010 23:42 360584]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [21/03/2006 13:00 5888]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [01/01/2010 23:42 285392]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [24/02/2006 11:01 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [24/02/2006 11:01 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [24/02/2006 10:34 3456]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\TMESBS32.EXE [21/03/2006 13:00 65536]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.EXE [21/03/2006 13:00 114688]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/11/2009 02:18 100480]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/03/2006 13:31 35968]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [21/03/2006 13:16 595072]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [25/09/2009 00:03 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [25/09/2009 00:03 8320]

--- Other Services/Drivers In Memory ---

*Deregistered* - leqlg
.
Contents of the 'Scheduled Tasks' folder

2010-01-01 c:\windows\Tasks\User_Feed_Synchronization-{C3964DD8-85ED-4C50-9E46-7DE120E3BF54}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.

Supplementary Scan

.
uStart Page = hxxp://uk.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: google.com\mail
Trusted Zone: ireland.com\www
.
- - - - ORPHANS REMOVED - - - -

Notify-psfus - psqlpwd.dll
MSConfigStartUp-PCSuiteTrayApplication - c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\leqlg]

.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ThpSrv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Windows Media Player\WMPNetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-02 01:12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-02 01:12

Pre-Run: 61,198,086,144 bytes free
Post-Run: 61,286,313,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4E3575C323F1F0B5EF5EDA4076D130E0

ActorSeeksJob · 02-01-2010 3:00pm

hi

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services
leqlg
:Reg

:Files
c:\windows\system32\drivers\leqlg.sys
c:\program files\Common Files\binogos._dl
c:\program files\Common Files\ujibiqoky.bin
c:\program files\Common Files\numi.bin


:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Gekko · 02-01-2010 5:25pm

Below are the results of using OTM. About to download TFC now.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Error: No service named leqlg was found to stop!
Unable to stop service leqlg!
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\windows\system32\drivers\leqlg.sys scheduled to be moved on reboot.
c:\program files\Common Files\binogos._dl moved successfully.
c:\program files\Common Files\ujibiqoky.bin moved successfully.
c:\program files\Common Files\numi.bin moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: AdminUser
->Temp folder emptied: 15548368 bytes
->Temporary Internet Files folder emptied: 37955259 bytes
->Java cache emptied: 7190828 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 524771 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 59.00 mb

OTM by OldTimer - Version 3.1.4.0 log created on 01022010_171709

Files moved on Reboot...
File move failed. c:\windows\system32\drivers\leqlg.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Gekko · 02-01-2010 6:34pm

here's the MalwareBytes log:

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

02/01/2010 17:38:32
mbam-log-2010-01-02 (17-38-32).txt

Scan type: Quick Scan
Objects scanned: 116034
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ActorSeeksJob · 02-01-2010 8:26pm

do this after

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
c:\windows\system32\drivers\leqlg.sys
Drivers to delete:
leqlg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Gekko · 02-01-2010 8:40pm

ok will do - many thanks again - Kaspersky is still downloading its updates at the moment...it's taking quite a while...

Gekko · 02-01-2010 11:28pm

Below is the Kaspersky report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, January 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, January 02, 2010 21:16:24
Records in database: 3382259

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

\
E:\

Scan statistics:
Objects scanned: 77094
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:33:06

No threats found. Scanned area is clean.

Selected area has been scanned.

And here's the Avenger log. Thanks again and is there anything else I should do or need to do...?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\leqlg.sys" deleted successfully.
Driver "leqlg" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ActorSeeksJob · 02-01-2010 11:55pm

hi

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

also tell me how its running

Erper · 03-01-2010 12:14am

my advice...
Install new win...
There is no help for it...
End of story...

Gekko · 03-01-2010 6:06am

Thanks again.

Will run GMER shortly.

In terms of how it's running:

1. When I first realised I had this problem, whenever I was connected to the internet the computer was sending and receiving a hell of a lot of data, which freaked me out when I looked at my connection statistics. I'm pleased to say it's stopped doing that...

2. Sometimes when I am trying to open a new URL using internet explorer, or even when trying to search for a file on the laptop, I'm getting an error message that seems to refer to the fingerprint reader that's on my laptop that you can use to login to Windows XP.

This may be something related to the malware or whatever....it's never happened before.

Here is the error message:

Fingerprint software error.
Cannot initialize My Safe folder.
0xe7530003 cannot initialize My Safe folder.
0xe753000f cannot get file disk lock state
0xe753000e cannot get file disk path
0xe7530011 cannot get file disk
0xe72c0007 rnpipe:svr(00000000fusserver) not found

3. Sometimes internet explorer says it has to close. Below is the error message and it says the technical data is in: C:\DOCUME~1\JOHNRE~1\LOCALS~1\Temp\e307_appcompat.txt which I haven't been able to find or open. It appears to contain a load of jumbled up numbers and texts mixed with some control instructions.

AppName: iexplore.exe AppVer: 7.0.6000.16945 ModName: sdhelper.dll
ModVer: 1.6.2.14 Offset: 000051a0

Gekko · 03-01-2010 7:51am

Here's the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-03 07:45:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JOHNRE~1\LOCALS~1\Temp\kgloikob.sys

---- Kernel code sections - GMER 1.0.15 ----

? xqecbb.sys The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

ActorSeeksJob · 03-01-2010 3:10pm

hi

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Processes

:Services
xqecbb
:Reg

:Files
C:\xqecbb.sys /s


:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
```
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Erper · 03-01-2010 3:16pm

look, he can try clean with those tools, but win will be damaged...
my opinion, install new fresh win...

Gekko · 03-01-2010 7:14pm

Thanks again ASJ...it's not looking good though.

The computer is doing weird stuff now. Now every time I start it it up it brings up the System configuration box as if I've changed the Startup configuration.

And after I tried OTM and the computer froze before saving the log, I had to reboot it and do it again, and it then worked.

But when I did so, on my desktop were these really old files of a couple of jpegs for BBC podcasts, a photo and a couple of scanned documents.

These were all deleted from the computer as far as I was concerned. So this thing seems to be digging into the deepest parts of the hard drive, which is quite worrying.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Error: No service named xqecbb was found to stop!
Unable to stop service xqecbb!
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\xqecbb.sys not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: AdminUser
->Temp folder emptied: 267428668 bytes
->Temporary Internet Files folder emptied: 9510058 bytes
->Java cache emptied: 221949 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 524771 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 265.00 mb

OTM by OldTimer - Version 3.1.4.0 log created on 01032010_190638

Files moved on Reboot...

Registry entries deleted on Reboot...

ActorSeeksJob · 03-01-2010 9:17pm

your logs appear to be clean

that Startup configuration pop up is nothing to worry about

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Below I have included a number of recommendations for how to protect your computer against malware infections.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
TFC - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

Gekko · 03-01-2010 11:52pm

Oh right I was thinking that that xqecbb file might have been hiding somewhere else.

I was also concerned about the files showing up on my desktop that I mentioned...

I'll go through your recommendations shortly anyhow and I'd like to thank you again and will also pm you with a note as well.

Gekko · 05-01-2010 4:18pm

Hi ASJ,

Haven't got around to pm'ing you yet, but I'm wondering if you can help diagnose whether anything in the processes I went throught, or more likely something I've done, has caused a minor problem.

When I try to connect to the internet with Internet Explorer at my office through its wi-fi connection, it won't connect.

It works ok with Firefox, which I've downloaded and installed. And I'm able to connect to the office printer which is connected to the router...so it seems to be a problem related to Internet Explorer.

If this is something you can't help with, no worries....below is a diagnostic report after running a Microsoft Diagnostic thing.

Last diagnostic run time: 01/05/10 15:23:24
WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call
info Redirecting user to support call

Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Intel(R) PRO/1000 PL Network Connection, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=Wireless Network Connection, Device=Intel(R) PRO/Wireless 3945ABG Network Connection, MediaType=LAN, SubMediaType=WIRELESS
info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Network connection: Name=HUAWEI3G.O2 IE Open Internet, Device=TOSHIBA Software Modem, MediaType=PHONE, SubMediaType=NONE
info Network connection: Name=6230i O2 GPRS, Device=TOSHIBA Software Modem, MediaType=PHONE, SubMediaType=NONE
info Network connection: Name=BT Anytime, Device=TOSHIBA Software Modem, MediaType=PHONE, SubMediaType=NONE
info Network connection: Name=Nokia E71 USB Modem #2 (NPCIA), Device=TOSHIBA Software Modem, MediaType=PHONE, SubMediaType=NONE
info Network connection: Name=O2 Broadband, Device=TOSHIBA Software Modem, MediaType=PHONE, SubMediaType=NONE
info Both Ethernet and Wireless connections available, prompting user for selection
action User input required: Select network connection
info Wireless connection selected
Network adapter status

info Network connection status: Connected

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12029 connecting to [url]www.microsoft.com:[/url] A connection with the server could not be established
info HTTPS: Successfully connected to www.microsoft.com.
info FTP (Passive): Successfully connected to ftp.microsoft.com.
warn HTTP: Error 12029 connecting to [url]www.hotmail.com:[/url] A connection with the server could not be established
error Could not make an HTTP connection.

ActorSeeksJob · 05-01-2010 8:45pm

Really not sure about that. You could try this

1. Download IEFix, unzip it to your Desktop, and run it.
2. Click the Apply button.
3. You'll be prompted for the Operating System CD or the Service Pack Files location:

If you're using Windows XP, insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted (see the image below). Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles"
If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see a dialog similar to the image below. IEFix will continue with DLL registration part.
Restart Windows.

Gekko · 12-01-2010 11:57am

Thanks again ASJ - only back inthe office today and IE still not working. This is what it says:

This problem can be caused by a variety of issues, including:

•Internet connectivity has been lost.
•The website is temporarily unavailable.
•The Domain Name Server (DNS) is not reachable.
•The Domain Name Server (DNS) does not have a listing for the website's domain.
•There might be a typing error in the address.
•If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

It won't run a diagnosis thing when I click the box to diagnose connection problems.

Any ideas?

ActorSeeksJob · 12-01-2010 2:58pm

No idea sorry

If its a business machine, I'd ask your work

Gekko · 23-01-2010 5:47pm

it's my own laptop, not a company one.

It's still acting up, which is a pain because Firefox isn't as clear for viewing my RSS feeds. Maybe I should try uninstalling IE and reinstalling it.

marko_eire · 26-01-2010 11:47am

Hi guys,

can any of you help with this error i'm receiving on a Toshiba L300 "bootmngr is missing". I searched the net looking for a solution but cannot find one. I do not have a recovery cd and from what i have been reading on the net there should be a recovery partition on the hdd however i've downloaded a windows vista recovery disk which cannot locate the partition.

I've tried holding down 0 when powering on F10 and F8 which doesn't give me the selective startup options i should be seeing. I'm about to dance on the laptop at this stage out of frustration. Any advice before i smash it up would be appreciated.

Cheers.

chicklick · 27-01-2010 3:41am

KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, January 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 26, 2010 20:24:32
Records in database: 3373978

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\

\
F:\
U:\
Z:\
Scan statistics:
Objects scanned: 152947
Threats found: 2
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 04:46:35

File name / Threat / Threats count
C:\WINDOWS\system32\tdlcmd.dll Infected: Packed.Win32.TDSS.z 1
U:\vnc\vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
Selected area has been scanned.
ACTOR SEEKS JOB...I NEED HELP.. PLEASE

ASJ112 · 27-01-2010 3:46pm

hi

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix\ComboFix.txt log in your next reply.

Trojan Horse help

Comments