Avira AntiVir PE Classic 7.00 reports TR/Drop.Agent.dgo.8

[fsg]

Hi,

During start up, Avira AntiVir Personal Edition Classic 7.00 is identifying the trojan horse TR/Drop.Agent.dgo.8 in C:\WINDOWS\system32\awtss.exe. However, even after removing this file, the same alert is reported at every startup.

Any help will be appreciated!

Thanks,

Paco

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:40:28, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\quygyffo.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccess.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SeaMonkey\SeaMonkey.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SeaMonkey\SeaMonkey .exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.es/ig/dell?hl=es&client=dell-row&channel=es&ibd=6060920
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.es/hws/sb/dell-row/es/side.html?channel=es
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.es/hws/sb/dell-row/es/side.html?channel=es
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.es/hws/sb/dell-row/es/side.html?channel=es
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.es/ig/dell?hl=es&client=dell-row&channel=es&ibd=6060920
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtss.exe
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\SEAMON~1\SEAMON~1.EXE" -turbo
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159604026937
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DomainService -   - C:\WINDOWS\system32\quygyffo.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Lurdes/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7799 bytes

[Derek]

Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again afterwards before connecting to the net
  

--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  
• Please do not re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

[fsg]

Hi Derek,

Thanks for your fast answer!

Here it is the ComboFix report + the new HijackThis log. Any ideas?

Best regards,

Paco


ComboFix 08-01-15.3 - Lurdes 2008-01-15  1:37:22.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.600 [GMT 1:00]
Running from: C:\Documents and Settings\Lurdes\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SeaMonkey\SEAMON~1 .EXE
C:\Program Files\SeaMonkey\SeaMonkey.exe
C:\WINDOWS\recover.reg
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\awtss.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\quygyffo.exe
C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.ini2
C:\WINDOWS\system32\urqrpqn.dll

Code:

<pre>
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> realsched.exe
C:\Program Files\SeaMonkey\SeaMonkey .exe ---> SeaMonkey.exe
C:\Program Files\SeaMonkey\SEAMON~1 .EXE ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2007-12-15 to 2008-01-15  )))))))))))))))))))))))))))))))
.

2008-01-15 01:33 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-12 19:34 . 2008-01-12 19:34   <DIR>   d--------   C:\Program Files\Real
2008-01-12 19:34 . 2008-01-12 19:34   <DIR>   d--------   C:\Program Files\Common Files\xing shared
2008-01-12 19:34 . 2008-01-12 19:34   <DIR>   d--------   C:\Program Files\Common Files\Real
2008-01-12 19:09 . 2008-01-12 19:09   <DIR>   d--------   C:\Program Files\FLV Player
2008-01-10 09:43 . 2008-01-10 09:43   20   --a------   C:\WINDOWS\hppsapp.INI
2008-01-07 13:52 . 2008-01-07 13:52   <DIR>   d--------   C:\Program Files\CCleaner
2007-12-23 21:05 . 2007-12-23 21:05   <DIR>   d--------   C:\Program Files\DVDFabHDDecrypter4
2007-12-22 15:00 . 2007-12-22 15:00   <DIR>   d--------   C:\Program Files\DVDStyler
2007-12-22 13:23 . 2007-12-22 13:23   <DIR>   d--------   C:\Program Files\IfoEdit
2007-12-22 13:21 . 2007-12-22 14:53   432   --a------   C:\WINDOWS\IfoEdit.INI
2007-12-21 23:19 . 2007-12-21 23:19   <DIR>   d--------   C:\Program Files\RipIt4Me
2007-12-21 23:18 . 2007-12-23 20:46   <DIR>   d--------   C:\Documents and Settings\Lurdes\Application Data\RipIt4Me

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 00:47   ---------   d-----w   C:\Program Files\SeaMonkey
2008-01-14 20:22   ---------   d-----w   C:\Program Files\Sonic
2008-01-13 21:12   ---------   d-----w   C:\Program Files\SyncBack
2008-01-13 17:48   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2008-01-13 17:47   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2008-01-13 16:54   ---------   d-----w   C:\Program Files\QuickTime
2008-01-13 16:53   ---------   d-----w   C:\Program Files\Windows Defender
2007-12-30 19:52   ---------   d-----w   C:\Documents and Settings\Lurdes\Application Data\OpenOffice.org2
2007-12-23 20:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-16 12:32   ---------   d-----w   C:\Program Files\IrfanView
2007-12-12 00:26   ---------   d-----w   C:\Program Files\Avi2Dvd
2007-12-11 20:54   ---------   d-----w   C:\Program Files\AviSynth 2.5
2007-12-04 19:42   ---------   d-----w   C:\Program Files\Mathematics Worksheet Factory Deluxe 3.0
2007-12-04 12:50   ---------   d-----w   C:\Program Files\Supera
2007-12-02 23:44   ---------   d-----w   C:\Program Files\Ares
2007-12-01 08:13   ---------   d-----w   C:\Program Files\SnagIt32
2007-11-27 21:52   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-11-25 20:01   ---------   d-----w   C:\Program Files\Java
2007-09-30 07:35   48,504   ----a-w   C:\Documents and Settings\Lurdes\Application Data\GDIPFONTCACHEV1.DAT
2007-03-15 14:31   18,297,362   ----a-w   C:\Program Files\geogebra_setup_jre.exe
2006-12-20 19:05   1,565   ----a-w   C:\Program Files\install.jnlp
2006-12-02 09:15   1,584   ----a-w   C:\Program Files\author.jnlp
2007-06-01 21:30   56   --sh--r   C:\WINDOWS\system32\81DC94357C.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"SeaMonkey Quick Launch"="C:\Program Files\SeaMonkey\SeaMonkey.exe" [2008-01-15 00:05 151552]
"Mozilla Quick Launch"="C:\PROGRA~1\SEAMON~1\SEAMON~1.exe" [2008-01-15 00:05 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 00:05 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53 34880]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-27 22:52:34]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-09-30 09:10:20]
Inicio r pido de Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R1 tidnet;TID NDIS Protocol Driver;C:\WINDOWS\system32\DRIVERS\tidnet.sys [2006-07-12 13:23]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-01-12 22:27]
R2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-01-12 22:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff48c3a-88b7-11dc-923a-0016cffe2d4c}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4938cf0a-4f4a-11dc-91a1-0016cffe2d4c}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4938cf0c-4f4a-11dc-91a1-0016cffe2d4c}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{777a9a22-4853-11dc-9192-0016cffe2d4c}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{777a9a24-4853-11dc-9192-0016cffe2d4c}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9613c76f-88aa-11dc-9239-0016cffe2d4c}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 00:50:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 01:48:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15  1:50:43 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-15 00:50:39
.
2008-01-11 07:26:21   --- E O F --- 


[attachment deleted by admin]

[Derek]

looks clear now BUT you might have to reinstall seamonkey as I can't tell if the trojan affected it

does SeaMonkey  work properly

if it does then

Please download ATF Cleaner by Atribune

      Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

If you use Firefox browser as well as Internet Explorer or instead of it then also do this step

      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser as well as Internet Explorer or instead of it then also do this step

      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

 This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

 
Notes for Windows Vista users:

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As the author is not  not sure the effects that emptying prefetch on Windows Vista  will have, for the time being that function won't be enabled


Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  

press cleanup & it will search for and delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

then
Turn off system restore by following instructions here
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated,  that will help to plug the security holes that let these pests on in the first place

[fsg]

Hi Derek,

You were right! Seamonkey required to be reinstalled.

I have followed all the steps and now eveythings seems fine.

So, next step is to Donate!

Best regards,

Paco

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser