[Wowfx.dll Is Not A Valid Windows Image[RESOLVED][INACTIVE]]

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[Help Analyzing Hijackthis Log[INACTIVE]]

Open HijackThis and place a check next to the following:

O2 - BHO: (no name) - {A2DA9276-0D8E-493D-BC21-7E3BECEC0EA7} - C:\WINDOWS\system32\pmnnm.dll (file missing)

O4 - HKLM\..\RunServices: [Windows Recycler] ljmwjfh.exe

O20 - Winlogon Notify: pmnnm - C:\WINDOWS\system32\pmnnm.dll (file missing)

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  
• Please post the contents of C:\vundofix.txt and a the DSS from below in a reply to this thread.
  

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[I Believe This Is A Vundo Virus[INACTIVE]]

Open HijackThis and place a check next to the following:

O2 - BHO: {0b7bd7ba-9f2a-7f7a-dc74-9c382a210f23} - {32f012a2-83c9-47cd-a7f7-a2f9ab7db7b0} - (no file)

O2 - BHO: (no name) - {7A5565EF-A594-46E4-AF56-FE71AEAFD7D5} - C:\Windows\system32\tuvvv.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8BE8B8FC-BD38-46F3-8BB2-222F5DE84C49} - (no file)

O2 - BHO: (no name) - {E454D3E1-0B5E-493C-BCA2-93E9F8294A00} - (no file)

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\tuvvv.dll,#1

Close ALL other windows and then cliick Fix Checked.

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  Put the bad files here
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  
• Close OTMoveIt
  

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

Click "Exit" to close OTMoveIt.Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please Right ClickOTMoveIt.exe and select Run as Administrator to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  C:\Windows\system32\vwycf.ini2
  C:\Windows\system32\lkjlm.ini2
  C:\Windows\system32\jlkkj.ini2
  C:\Windows\system32\ppsut.ini2
  C:\Windows\system32\knoqr.ini2
  C:\Windows\system32\gjmoq.ini2
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  
• Close OTMoveIt
  

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

Click "Exit" to close OTMoveIt.

After reboot start IE w/ Admin privileges. Right Click on Internet Explorer icon in the Start Menu and select Run as administrator then go HERE to run an online scan. Tick the box next to I Accept term then Start. Follow the prompts

Once it's done post C:\Program Files\EsetOnlineScanner\log.txt and a new HijackThis log also post C:\_OTMoveIt\MovedFiles\********_******.log

(where "********_******" is the "date_time" you ran OTMoveit)

[I Believe This Is A Vundo Virus[INACTIVE]]

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[Hijackthis Log]

Resolved per OP

[Need Major Help; Hjt Log Inc[INACTIVE]]

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[Hijackthis Log]

I will let you know after it's done and if it works

Any luck?

[Hijackthis Log]

Open a new notepad 'page' and copy/paste the text in the codebox below to it:

File::
C:\80avp08.com
C:\xfoolavp.com
C:\dosocom.com
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\avpo0.dll
C:\utdetect.com
C:\usdeiect.com
C:\ntde1ect.com
C:\WINDOWS\Help\F3C74E3FA248.dll
C:\WINDOWS\Help\F3C74E3FA248.exe
C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.bak2
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\lssas.exe

Folder::
C:\Documents and Settings\James1\Local Settings\Temp\

Driver::
nenum13E

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"amva"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] 
"{1DBD6574-D6D0-4782-94C3-69619E719765}"= -

FileLook::
C:\WINDOWS\system32\AVERM.dll

Save this as "CFScript.txt"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot post the contents of Combofix.txt in your next reply

[Hijackthis Log]

Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Networking) by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

• Open the C:\SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back here along with a Combofix log..(below)
  

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

[Hijackthis Log]

Working from chat

[Hijackthis Log]

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

• Please download LSPFix from here.
  
• Run the LSPFix.exe that you have just finished downloading.
  
• Check the I know what I'm doing box.
  
• In the Keep box you should see one or more instances of c:\windows\system32\od2media.dll.
  
• Select every instance of c:\windows\system32\od2media.dll and move each one to the Remove box by clicking the >> button.
  
• When you are done click Finish>>.
  

Open HiJackThis. It should open to a "New users quickstart" menu

Click "Open the Misc Tools section"

Click "Delete a file on reboot..."

In the "Enter file to delete on reboot..." window, navigate to:

C:\WINDOWS\system32\amvo.exe

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. Click Yes

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[Hijackthis Log]

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINDOWS\bvtqfvx.dll and C:\WINDOWS\alxvdvm.dll
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

[Hijackthis Log]

Please download SmitfraudFix (by S!Ri) to your Desktop. (Don't worry about using this, even though some AV's will say that parts of it are malware, they are not.)

Now, you should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.
  

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

[Hijackthis Log[INACTIVE]]

Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Networking) by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

• Open the C:\SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back here along with a Combofix log..(below)
  

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

[Malware Issues[INACTIVE]]

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
  
• Once the scanner is installed and the definitions downloaded, click Next.
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
      

    [*]Scan Options:

    • Scan Archives
      
    • Scan Mail Bases
      

  [*]Click OK

  [*]Now under select a target to scan select My Computer

  [*]The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

  [*]Now click on the Save report button.

  [*]Call it Kaspersky.txt

  [*]Expand the arrow beside "file types" and save as .txt file.

  [*]Save the file to your desktop.

  [*]Copy and paste that information in your next post.

*Note

If you have Internet Explorer 7 installed:

If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.

Page will reload and you should be able to carry on scan.

If the KAV log has your email all over it -- please attach it rather than copy/paste.

[Hjt Log]

On reboot after doing the Vundo scan, I got a message that "qfojcoof.dll" could not be found. Is it possible this wasn't a trojan?

No that is just Windows trying to load the Vundo file that is no longer threre. We'll fix it in a moment.

Open a new notepad 'page' and copy/paste the text in the codebox below to it:

File::
C:\WINDOWS\system32\oqtss.ini2
Folder::
C:\WINDOWS\system32\daSgo01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0003afc4-9aeb-4662-b8aa-79036e249742}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44A3420F-00CC-4798-A799-552D065F1B47}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"6423734a"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurrqr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "C:\CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot post the contents of Combofix.txt in your next reply

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on the Start Scanning button at bottom of page.
  
• Accept the License Agreement and the ActiveX install.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.
  

2.

Post

• Combo fix log
  
• F-Secure results
  

in your next reply.

[Malware Issues[INACTIVE]]

Please download SmitfraudFix (by S!Ri) to your Desktop. (Some AV's will say that parts of it are malware, they are not.)

Now, you should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.
  

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with the combofix log(below).

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post

• C:\rapport.txt
  
• c:\Combofix.txt
  

in your next reply .

Warning : running option #2 on a non infected computer will remove your Desktop background.

[Hjt Log]

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  
• Please post the contents of C:\vundofix.txt and a the DSS results from below in a reply to this thread.
  

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Once done with that do the following please.

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[Hjt Log]

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  
• Please post the contents of C:\vundofix.txt and a the DSS results from below in a reply to this thread.
  

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Once done with that do the following please.

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
   
5. Please attach extra.txt to your post.
   

To attach a file to a new post, simply

1. Go to the Atachments section on the post composition page.(just below the text entry window), and
   
2. copy and paste the following into the "Select a file" box:
   C:\Deckard\System Scanner\extra.txt
   
   

   
   

3. Click Upload.
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

[Trojan Vundo[INACTIVE]]

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

[Paypal/snakeoil Problems[RESOLVED]]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[Paypal/snakeoil Problems[RESOLVED]]

Open you Control Panel>Add/Remove programs> uninstall ALL old JAVA/JRE/JSE programs listed.

Then download and install the latest version Java 6 Update 3

Time for some housekeeping

• Click START then RUN
  
• Now type Combofix /u in the runbox and click OK
  
  • 
    

  [*] When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
    
  • VundoFix backups, if present
    
  • The C:\Deckard folder, if present
    
  • The C:_OtMoveIt folder, if present
    

  [*] Reset the clock settings.

  [*] Hide file extensions, if required.

  [*] Hide System/Hidden files, if required.

  [*] Reset System Restore.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??

[Paypal/snakeoil Problems[RESOLVED]]

Sorry this reply must have slipped by me..everything looks pretty good post an update HijackThis log and any further problems the computer is having.

[Pablos post[INACTIVE]]

I don't run Completly combofix because appear a window and says that thet program have a Suspect Archive or a virus

Yes this happens some time. ComboFix is NOT a virus..it is safe to run....

Please do so.

[Post Your Linux Screen Shot]

Couple of mine.

1st one is Gnome (used by my kids mostly) the 2nd is Fluxbox w/ fbpanel and a few dock apps (My choice)

Sorry about the 'readability' of the 2nd one's screen shot term....you get the idea/info from 1st one tho.