Hi IrishCoffee,
OK, let's pick up the leftovers.
Before fixing anything, please open
Notepad (Start -> Run -> type
notepad in the Open field -> OK) and copy and paste the text present
inside the code box below:
(start copying from "
@echo off")
CODE
@echo off
For %%g in (
C:\WINDOWS\system32\RVHIOST.exe
) do catchme -l nul -k %%g >nul
echo.Please submit the file, catchme.zip located on Desktop
pause
exit
Save this as
submit.bat. Choose to "
Save as type - All Files" and place it on your desktop.
It should look like this:
Double-click on submit.bat and allow it to generate a zipped file on your desktop called
catchme.zip.
Please submit catchme.zip to this site ->
http://www.bleepingcomputer.com/submit-malware.php?channel=4Please
include a link to this topic in the message.
NOTE:
The file must be uploaded before proceeding to the next step.NEXT:
Please go to
Start -> Control Panel -> Software -> Add or Remove Programs and remove any of the following that are listed:
BitDownload
BitGrabber
BitLord
BitRoll
CiD Manager
CiD Help
Download Plugin for Internet Explorer
Messenger Plus!
Messenger Plus! 2
Messenger Plus! 3
Messenger Plus! 3 & Sponsor
Messenger Plus! Live
Messenger Plus! Live & Sponsor
Messenger Plus! Live & Sponsor (CiD)
Netpumper
Search Plugin
WinZix
Zone MediaNEXT:
For this next step, please
ensure that ComboFix.exe is on your desktop:
CAUTION: Please do
NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do
NOT adjust your time format while ComboFix is running.
NEXT:
Please run
HijackThis and click "
Scan". Place a check (tick) next to the following entries (if present):
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kClose
ALL programs and browsers (including this one), leaving
ONLY HijackThis open, then click "
Fix checked".
Then please exit HijackThis.
NEXT:
Please download
Flash_Disinfector.exe by sUBs and save it to your desktop:
NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
- Double-click Flash_Disinfector.exe to run it.
- Follow any prompts that may appear.
- Your desktop will vanish for a while, and then reappear. This is normal.
- Wait until the program has finished scanning, then please exit the program.
NEXT:
Please go to:
VirusTotal- At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:
C:\WINDOWS\system32\muzapp.dll
- Click "Open".
- Then click the "Send" button at the top of the VirusTotal page.
- This will scan the file. Please be patient.
- Once scanned, copy and paste the results in your next reply.
Then please do the same as above for the following files:
C:\WINDOWS\system32\
muzapp.exeC:\WINDOWS\system32\
TG_VIEW0607.DLLC:\WINDOWS\system32\
TG_SYNC.DLLC:\WINDOWS\system32\
TG_DUMP0611.DLL
C:\WINDOWS\system32\
RadLightTTAUninstall.exeC:\WINDOWS\system32\
TTACodecs-uninstall.exeNEXT:
Please download
CCleaner (freeware) and save it to your desktop:
- Run the CCleaner installer.
- During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
- Once installed, run CCleaner and click the "Windows" tab.
- Select the following:
- Check everything under the "Internet Explorer" section.
- Check everything under the "Windows Explorer" section.
- Check everything under the "System" section.
- Check ONLY "Old Prefetch data" under the "Advanced" section.
- Then, click the "Applications" tab:
- Next, click the "Options" button in the left pane, then click the "Advanced" button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
- Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
- When done, please exit CCleaner.
CAUTION: Please do
NOT use the "
Issues" button in the left pane. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.
NEXT:
Let's run an online scan to make sure we're not leaving anything behind.
Please do an online scan with
Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
- Click on "Kaspersky Online Scanner".
- You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
- The program will launch and then begin downloading the latest definition files.
- Once the files have been downloaded click on "Next".
- Now click on "Scan Settings".
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
Extended - Scan Options:
Scan Archives
Scan Mail Bases
- Click "OK".
- Now under select a target to scan:
- This program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the "Save Report As" button.
- In the "File name:" field, type kavscan.
- In the "Save as type:" field, select "Text file (*.txt)".
- Save the file to your desktop.
- Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "
Accept" button of the license, click on the "
Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
NEXT:
Please
REBOOT your computer normally into Windows and post these logs in your next reply:
- The log from the ComboFix scan located at C:\ComboFix.txt.
- The reports from VirusTotal.
- The log from the Kaspersky scan.
- A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).
How are things running now?
~~~
Jun 24 2007, 01:11 PM
Quote
0.0222sec
0.29
7 queries
GZIP Disabled