[Inactive] ukrtelegroup.com.ua/JavaDI-T trojan/IPscan-Gen

[dallenhj]

My machine was crawling to a halt. I found that my default gateway settings were altered to point to 93.188.163.16 and x.x.161.200 - nslookup points to ukrtelegroup.com.ua (odessa russia) which is a associated with many bad things.

I fixed the gateway settings and re-ip'd with my gateway (FIOS router) and received valid IPs.

Things were still slow so I bought and ran spysweeper which found the trojan and IPscan-gen tool. Both are quarantined.

I ran hijackthis and saw more references to wierd browser plugins and the ips addresses above. All have been removed.

Chrome works OK now, my sweeps are clean. However, IE is still running like a DOG (more than usual anyway).

Attached is my latest hijack log file. Please let me know if there's something else I can do to get this mess cleaned up.

Thanks!

[Hoov]

Please follow the instructions here, http://spywarehammer.com/simplemachinesforum/index.php?topic=88.0 except post the log back to this thread. Once you have done that, your log will be stuck into the que and one of the helpers will be with you as soon as they have an opening.

[dallenhj]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:51:53 PM, on 5/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\AddOns\Norton AddOn Pack\Engine\3.8.0.5\ccProxy.exe
D:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\VIRTUA~1\CitiVAN.exe
D:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\MOMNDAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINDOWS\system32\OBroker.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Virtual Account Numbers Helper - {17424104-1444-4810-85D7-B4DA413C5A9A} - D:\Program Files\Virtual Account Numbers\CitiVANHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - D:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe"
O4 - HKLM\..\Run: [HPHmon04] "C:\WINDOWS\system32\hphmon04.exe"
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [WUSB54Gv2] "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] "C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe"
O4 - HKLM\..\Run: [HP AutoIndexer] "C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Citi Virtual Account Numbers] "D:\PROGRA~1\VIRTUA~1\CitiVAN.exe" /lang=en_RG /dontopenmycards
O4 - HKLM\..\Run: [MaxMenuMgr] "D:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\MOMNDAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O18 - Filter hijack: text/html - {474c3d25-4482-4018-b1a4-ba67be0d2e9e} - C:\WINDOWS\msv1_0.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Norton Internet Security\AddOns\Norton AddOn Pack\Engine\3.8.0.5\ccProxy.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - D:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10194 bytes

[Hoov]

Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

Now onto trying to fix your computer.


The reason we would rather have logs pasted in instead of attached is mostly to protect us. There are certain infections that will attach themselves to files, and then there is a chance we would get infected.

Your hijackthis log looks good, but unfortunately there are lots of infections that are not seen in hijackthis.

Please run ccleaner to remove temporary files from your system, and to improve the scanning time of the other scans we may be running. Then please Malwarebytes' Anti-Malware to check for malware.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.[/COLOR]

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.[/COLOR]

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

And there are two other things I would like you to do because you mentioned that the gateway settings were changed. First I would like you to reset the IE8 settings, and then I would like you to run Spybot Search and Destroy to check for other problems, but mostly to check your Hosts file.

1. Close any Internet Explorer or Windows Explorer windows that are currently open.
   2. Open Internet Explorer by clicking the Start button , and then clicking Internet Explorer.
   3. Click the Tools button, and then click Internet Options.
   4. Click the Advanced tab, and then click Reset.
   5. Select the Delete personal settings check box if you would like to remove browsing history, search providers, Accelerators, home pages, and InPrivate Filtering data.
   6. In the Reset Internet Explorer Settings dialog box, click Reset.
   7. When Internet Explorer finishes applying default settings, click Close, and then click OK.
   8. Close Internet Explorer.

      Your changes will take effect the next time you open Internet Explorer.


Download and scan with Spybot S&D 1.6.2
http://www.safer-networking.org/en/download/index.html

           1. Install Spybot. Be sure to UNCHECK TeaTimer when presented with the option to install.
           2. Run Spybot, go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
           3. Click the button "Search for Updates".
           4. If any updates are found, install them by placing a checkmark next to each one and clicking "Download Updates".If you encounter any error messages while downloading the updates, manually download them from here.
           5. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
           6. Click the button "Check for Problems".
           7. When Spybot is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
           8. Make certain there is a check mark beside all of the RED entries ONLY.
           9. Choose "Fix Selected Problems" and allow Spybot to fix the RED entries.
          10. REBOOT to complete the scan and clear memory.

        Note: After Windows loads, Spybot may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

[dallenhj]

Ran CCleaner per instructions.
Ran MBAM per instructions. Removed all viruses...log is pasted below.
Proceeding to IE8 settings reset and Spybot S&D...
===================================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4125

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/23/2010 4:57:28 PM
mbam-log-2010-05-23 (16-57-28).txt

Scan type: Quick scan
Objects scanned: 161244
Time elapsed: 16 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7fe26be2-b923-4b41-9834-e84da1cc1f96} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\m7g3iQ.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

=== end of post ===

[Hoov]

Once you have run Spybot and reset IE, test out IE and let me know how it runs.

[dallenhj]

SBS&D immunization done.

Running S&D scan...

Question - what should I use for protection in the future?

Norton 2010 is clearly not up to the task.

[Hoov]

I don't like telling users exactly what to use. We have a list of free software in this thread, http://spywarehammer.com/simplemachinesforum/index.php?topic=2333.0

The antivirus list is a good list, as well as the firewall list. I would recommend that you pick one and try it out. If it works for you stick with it.

I also recommend that you keep a copy of Malwarebytes' Anti-Malware and do regular scans with it. If you can afford it, buy a copy, and then you will have automatic updates, and the resident scanner.

There are other things that you can do, but I will cover them when we are all done.

[dallenhj]

OK...Spybot S&D is done. Removed a bunch of junk.

Rebooted and IE8 is till very very slow.

[Hoov]

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[Hoov]

This thread is being closed due to inactivity. If you need it reopened send me a PM. This applies to the originator only. Anyone else please start a new thread.