Need help with vundo kill shot!

Status
Not open for further replies.
Remember that Kaspersky and AVG will not call the files the same thing so it is likely the same item.

Remember to express yourself here:
http://www.malwarecomplaints.info/

These criminals need to go to jail, did I post this information for you?
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn

This is almost all we are getting and the fourms of loaded with it. I have dealt with so much of it I am about burned out:sad:
 
Next step

I have completed all of the above steps. "esaxxsvc.exe" went without a fight but I had to go into safemode to delete the "jkjklbst.exe" file. The AVG scan (ran BEFORE the step in previous sentence) did not find anymore than the two issues listed in the previous post. I had it delete those. What is our next step from here? I am concerned that, while everything appears fine now, when I reconnect to the net I will be back where i started. Should I produce another HJT scan, scan with any of the available tools I have (Defender, S&D, etc.) or what? Greatly appreciate the help so far Phil! :bigthumb:
 
We cleaned the last two items from the Kaspersky scan, you should be good to go:bigthumb:

Safe Surfing...Phil
 
Bad news

I just completed a scan with S&D and it returned 6 incidents of Virtumonde!:eek: I have done nothing since the last steps and have not connected back to the internet yet. Any advice?

Also, shall i have S&D remove these?
 
Yeah, make sure your Spybot program is totally up to date and fully immuninized, then run it again.

Post a new HJT log.

Thanks
 
Update question

Is there a link you can supply that i can follow to download the latest updates for S&D from another computer and transfer to the infected one as to avoid connecting it to the internet? I somewhat recall reading a post that had a similar link. In the mean time i will have S&D remove the 6 incidents of virtumonde and produce another HJT log. Thanks again.
 
Update

I just had S&D remove the 6 Virtumonde and immunized (it appeared that it had not been fully immunized) and it hesitated during the internet explorer 32/bit section but did complete. Just wanted you update the matter.
 
Another new HJT log

I did the above steps, S&D found nothing. The new HJT log is posted below. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5089 bytes
 
That's a clean HJT log:bigthumb: Review the information from those experts I posted, those are some very knowledgeable folks in the malware/security business and the information will go a long way towards keeping you safe online.

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Thanks...Phil
 
Still a problem?

I have not used the computer since last wednsday last week (vacation) and I restarted S&D's Resident. Upon doing so numerous notifications came up asking to allow or deny various changes. I somehow denied 4 or so. Can I change that choice somehow? Also, I reconnected to the internet for the first time and IE runs pretty slow and a popup page attempted to open. Another S&D notification change appeared with category "BHO", change "key deleted" and entry name"955dbe41-c3f5-4eaa-944c-158d33flebf5. Almost forgot, I ran an S&D scan before all of this and one entry for "Fun Web Products" was returned which i fixed. Got any suggestions?
 
More specific

More specifically, the new window that opens links to "Buzznet Community". So far it appears to only open when surfing online.
 
I am not real sure what suggestions you want, do you need tutorials for using Spy S&D and/or TeaTimer?
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html
http://www.voiceofthepublic.com/SSD/SI/teatimer.swf.html
http://russelltexas.com/malware/teatimer.htm
http://antivirus.about.com/od/securitytips/ss/hosts_6.htm

http://www.buzznet.com/ <<< see this

The last Kaspersky scan and HJT log I looked at were clean, anyone downloading junk besides you? "FunWebProducts" usually comes as an adware download that is done by someone with access to the computer. They usually think something is "free".

Thanks
 
Thats what has me concerned, nobody has used the computer since last week besides me and I only reconnected it to the internet this morning. When I type in a new address another window opens to the Buzznet Community website. Not quite sure why this is happening. Thought you may have seen this or have an idea about it?
 
No I have not, post a new HJT log if you wish and I will start the process of trying to find out.

Thanks
 
More bad news:(

Since my previous post several not so good things have happened. Symantec has given me two notices:

*the first states that Trojan.Vundo was found in "C:\system volume information/_restore{B906308C-E7CF-4D81-A411-C157A628241}/RP16\A0000446.dll" and was quarantined.

* The second states that Trojan.Vundo was found in "C:\windows\system32\ujykbrrp.dll", also quarantined.

I ran an AVG scan which returned two incidents:

* the first is Trackingcookie.Coremetrics

* the second is Downloader.Tiny.id

Also, upon restart, S&D Teatimer asked me to "Allow" or "Deny" two changes:

* the first being a registry change by the name of "6c9e2ecd" which is reminiscent of the file(s) you had me delete in post #12 (i believe).

* the second attempted change was of the IE home page, something tried to change it from google to microsoft.

That is where I am now, I have not yet let AVG fix/delete the two files I spoke of. Should I have AVG delete them? Also, I know you need another HJT log but should I scan before or after the AVG fix in the previous sentence. Thanks for the help, again. :red:
 
*the first states that Trojan.Vundo was found in "C:\system volume information/_restore{B906308C-E7CF-4D81-A411-C157A628241}/RP16\A0000446.dll" and was quarantined.
Click to expand...
Symantec can not clean/quarantine System Restore files, they are protected, there are cleaned like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

* The second states that Trojan.Vundo was found in "C:\windows\system32\ujykbrrp.dll", also quarantined.
Click to expand...
Navigate to that file in red and delete it.

If it was quarantined, delete it there.

* the first is Trackingcookie.Coremetrics
Click to expand...
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

* the second is Downloader.Tiny.id
Click to expand...
Have no idea what that is, I would need the name and location.

Thanks
 
Steps Completed

Ok Phil, I have completed all of the above steps, did the system restore, did not find the Trojan.Vundo in system32 but found it in Symantec quarantine and deleted that (along with one or two others), I used AVG to delete the tracking cookie and the Downloader.Tiny.Id (although this was done last time too). I searched for the "downloader.tiny.id" at the location specified by Symantec, C:\documentsandsettings\ship\localsettings\temp\cnkvigtc.exe" and it was not there. I have completed a new HJT log and it is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47, on 2007-11-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jnrngaay.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5880 bytes

It seems like something is being missed that, when connected to the internet or on reboot, is downloading more of the same junk that was previously removed. Also, is there a way to look into the system restore to verify that the Trojan.Vundo from the above post was removed?
 
P.s.

I remember that you wanted me to use Combofix but it was not working properly. Has this issue been solved? If so maybe it would help the situation.
 
C:\documentsandsettings\ship\localsettings\temp\cnkvigtc.exe
Did you make sure all files and folders were showing?
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
These malware writers know how to hide junk. Make sure everything recent is deleted from that Temp folder in red, run ATF-Cleaner and run cleanManager also:
http://spyware-free.us/tutorials/cleanmgr/

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jnrngaay.exe
This is active, we need to stop the service before you can kill it:

Open a command prompt (start run type cmd press enter) type
sc delete "DomainService"
press enter, type exit and press enter to exit the command prompt


Now delete that file: C:\WINDOWS\system32\jnrngaay.exe
Also, is there a way to look into the system restore to verify that the Trojan.Vundo from the above post was removed?
Click to expand...
Not that I am aware of, that's why we use scans that show the infection. No scan can touch those protected files, but they can show us the infection.

The rest of the HJT appears clean right now. You said:
I remember that you wanted me to use Combofix but it was not working properly. Has this issue been solved? If so maybe it would help the situation.
Can't hurt, the creator of combofix had his internet service go down and it is up and running.
Click to expand...

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
Status
Not open for further replies.
Back
Top