# Superbad virus  !



## Rebel

Got a REALLY bad Virus on my comp, is called QVO6.  I don't want to take it out myself, I know about the registry and all that, but would far rather have a malware tool get rid of it.   I was thinking of either installing Spyhunter or
Bitdefender Plus, have a preference for Bitdefender as it's got such great reviews,  Any advice bout these two virus pros , for or againstwould be great, Thanx !


----------



## Punk

I would suggest posting in the Computer Security section of the forum. JohnB35 will take care of your virus


----------



## johnb35

Moved to the correct section.

Please download *Malwarebytes' Anti-Malware *from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run *Rkill.scr*,  *Rkill.exe*, or *Rkill.com*.  If you are still having issues running rkill then try downloading these renamed versions of the same program.

*EXPLORER.EXE*
*IEXPLORE.EXE*
*USERINIT.EXE*
*WINLOGON.EXE*

But *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the *HijackThis* installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

*Vista and Windows 7 users must right click on the hijackthis icon and click on run as.  If the run as option doesn't appear then press and hold the shift key while right clicking on the icon to get it to appear.* 


Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy.  Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## Rebel

Hi John, Thanx for the info, however, unfortunately, this particular virus is so 
aggressive that  " Malwarebytes Anti malware "  didn't even touch it. Downloaded ok, and found 1 infection, but   QVO's  filthy hijacking homepage and screen saver are ~ Still, on my comp...... I'm begining to despair .....


----------



## Rebel

Got this from Malwarebytes log

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.19.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Dell D531 :: DELLD531-PC [administrator]

Protection: Enabled

19/05/2013 19:23:12
mbam-log-2013-05-19 (19-23-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210207
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Dell D531\Desktop\bundleSetup.exe (PUP.BundleInstaller.IB) -> Quarantined and deleted successfully.

(end)


~~~~~~~~~


Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.19.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Dell D531 :: DELLD531-PC [administrator]

Protection: Enabled

19/05/2013 19:43:06
mbam-log-2013-05-19 (19-43-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209663
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
~~~~~~~~~~~~~


2013/05/19 19:21:33 +0100	DELLD531-PC	Dell D531	MESSAGE	Starting protection
2013/05/19 19:21:33 +0100	DELLD531-PC	Dell D531	MESSAGE	Protection started successfully
2013/05/19 19:21:33 +0100	DELLD531-PC	Dell D531	MESSAGE	Starting IP protection
2013/05/19 19:22:20 +0100	DELLD531-PC	Dell D531	MESSAGE	IP Protection started successfully
2013/05/19 19:22:42 +0100	DELLD531-PC	Dell D531	MESSAGE	Starting database refresh
2013/05/19 19:22:42 +0100	DELLD531-PC	Dell D531	MESSAGE	Stopping IP protection
2013/05/19 19:22:44 +0100	DELLD531-PC	Dell D531	MESSAGE	IP Protection stopped successfully
2013/05/19 19:22:49 +0100	DELLD531-PC	Dell D531	MESSAGE	Database refreshed successfully
2013/05/19 19:22:49 +0100	DELLD531-PC	Dell D531	MESSAGE	Starting IP protection
2013/05/19 19:23:00 +0100	DELLD531-PC	Dell D531	MESSAGE	IP Protection started successfully
2013/05/19 19:33:25 +0100	DELLD531-PC	Dell D531	MESSAGE	Starting protection
2013/05/19 19:33:25 +0100	DELLD531-PC	Dell D531	MESSAGE	Protection started successfully
2013/05/19 19:33:25 +0100	DELLD531-PC	Dell D531	MESSAGE	Starting IP protection
2013/05/19 19:33:37 +0100	DELLD531-PC	Dell D531	MESSAGE	IP Protection started successfully


----------



## johnb35

Please post the hijackthis log so I know what the next course of action is.


----------



## Rebel

Hi again,   I have attempted several times to install   " Hijackthis "  on the infected computer,  but on each occassion I get a set up wizard and only two choices  to either click
~ Repair or   ~  Remove ( the installation )

I decided to try the same installation on the computer I am now using  ( an old dell lap top which is on its last legs ! )   " Hijack this " installed on this comp without a hitch ! .  But I simply cannot get past the   ~ Click  ~ Repair or  ~ Remove, when I attempt to place this on the infected computer !


----------



## Rebel

O.k , Managed to get the  " Hijackthis " icon on the desktop of my infected comp, but it will not allow me to get to edit, When I click on " Do a system scan and lsave a logfile,  the logfile appears, but then is immediately covered by a  pop -up which says   -   " For some reason your systen deniedwrite access to the host's file. If anyhijacked domains are in this file, Hiack may not be able to fix this ...  

says a lot more, do you need me to type everything in the pop up  ?

Basically I cannot get past this to copy the contents ...


----------



## Rebel

P.S  -   When I delete that pop-up,  another pop-up appears from " Notepad "
it says,   " Cannot find the C:\program files ( x86 ) \ Trend Micro \ HijackThis\
highjackthis.logfile,
Do you want to create a new file ?  "


----------



## johnb35

Please follow the instructions again, this time pay attention the writing in red.  You must run as administrator.


----------



## Rebel

I click on the writing in red  ( top bar )  and the log comes up perfectly on notepad, on the old comp which I'm presently using., but refuses to come up on the infected comp.   The notepad remains inaccesable.

I have tried - Start -  run -   ~ notepad c:\windows\system32\drivers\etc\hosts 
and pressed enter, ( as advised by pop-up )  but still wont work

  The account is  ~ Administrator,  on both comps.   They are both Dell computers.

The ONLY way I have been able to get a print up of the Log, which has been completely successful  ( to my surprise,first time done this... ) is by pressing  the  ~  Prnt  Scrn , key, then saving the print throgh  Microsoft office  in Picture Manager.  I then saved this as an attachment to my email and sent it to myself  ( through another email provider )  Opens fine and clear using the zoom.

Would it be ok for me to send this through to your email, please  ?   As I cannot get it onto the forum.....


----------



## Punk

Rebel said:


> I click on the writing in red  ( top bar )  and the log comes up perfectly on notepad, on the old comp which I'm presently using., but refuses to come up on the infected comp.   The notepad remains inaccesable.
> 
> I have tried - Start -  run -   ~ notepad c:\windows\system32\drivers\etc\hosts
> and pressed enter, ( as advised by pop-up )  but still wont work
> 
> The account is  ~ Administrator,  on both comps.   They are both Dell computers.
> 
> The ONLY way I have been able to get a print up of the Log, which has been completely successful  ( to my surprise,first time done this... ) is by pressing  the  ~  Prnt  Scrn , key, then saving the print throgh  Microsoft office  in Picture Manager.  I then saved this as an attachment to my email and sent it to myself  ( through another email provider )  Opens fine and clear using the zoom.
> 
> Would it be ok for me to send this through to your email, please  ?   As I cannot get it onto the forum.....



To run as administrator go on the Hijackthis launch icon and right click-> Run as administrator.

If this doesn't do anything, host your picture on some free pic hosting website like photobucket.com for example.


----------



## johnb35

Right click on the hijackthis icon and click on run as.  If the run as option doesn't appear then press and hold the shift key while right clicking on the hijackthis desktop icon.  

Again, all you had to do was reread my instructions that I had highlighted in red when I instructed you to run hijackthis.


----------



## Rebel

OMG !   I'm staggered, it worked  !        Many thanx 4 the tip  !

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:59:44, on 20/05/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16576)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\PROGRA~2\AD-AWA~1\AdAware.exe
C:\ProgramData\Search Protection\SearchProtection.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securesearch.lavasoft.com/?s...retb&v=2_5&u=E76EE8B7297682433480C951968D5B13
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O3 - Toolbar: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [SearchProtection] C:\ProgramData\Search Protection\_run.bat
O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8252 bytes


----------



## Rebel

P. S     I downladed    ~   " Hitman Pro  "  just a few minutes ago. 
It found 

 1  Trojan   as follows    :    wordpad-windows-downloader.exe
c:\users\D531\ Downloads\

1  Malware    as follows  :   mlv_ar_qvo6.exe
c:\users\Dell D531\AppData|Local\Temp\

I clicked delete....... 


but the blasted virus thing is STILL there !


----------



## johnb35

http://www.computerforum.com/221423-how-remove-pop-up.html#post1863459

Follow my post there to run combofix.  I can't post specific instructions as I'm on my phone at work right now.


----------



## voyagerfan99

I'll help ya out John.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.





We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## voyagerfan99

Also download and run this program

Please download and run TDSSkiller

When the program opens, click on the start scan button.






TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.






To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.






Please reboot the system if asked to do so. 

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example,  C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt  

Please open the log and copy and paste it back here.


----------



## Rebel

Thanx 4 that Voyager, !   I'm getting ready for the mammoth task  
Before I start, one or two queries.

A )   I recently installed Hitman pro,  it's a 30 day free trial version.  I don't want to uninstall it, unless absolutely necessary.   Could you give me details of how to disable it, please  ?    I also, have AVG  ( free edition 2013  )  will I have to delete AVG and reinstall  ?   Not sure if the free version can be disabled...

B )  Do I need to put my comp into  ~ Safe Mode   ?   I ~ Really, don't want to as safe mode screen irks me a bit...... again, if you advise  ~ Safe mode,
I will use it, just asking if it's really important to use it, or not  ?   


C )   Crikey, the thought of using Combofix is scary !  hope I'm up to the challenge  !         Wish me all the best ......  I'm getting my crash helmet  out, just incase


----------



## johnb35

Get rid of hitman pro as its only a 30 day trial.  You don't  need to uninstall avg, just go Into the advanced settings and disable resident shield.

Safe mode isn't required at this time.


----------



## Rebel

ComboFix 13-05-21.01 - Dell D531 21/05/2013  17:57:18.1.2 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.44.1033.18.1918.821 [GMT 1:00]
Running from: c:\users\Dell D531\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PYVVOWPB\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\337
c:\program files (x86)\Common Files\337\libcef\1.1364.1123\icudt.dll
c:\program files (x86)\Common Files\337\libcef\1.1364.1123\libcef.dll
c:\program files (x86)\Common Files\337\libcef\1.1364.1123\locales\en-US.pak
c:\programdata\1361625835.bdinstall.bin
c:\users\Dell D531\AppData\Roaming\337
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\ebase.dll
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\image\default\app_close.png
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\image\default\app_max.png
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\image\default\app_min.png
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\image\default\app_restore.png
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\image\default\wallpaper_resource.xml
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\image\default\window.png
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\language\en_us\wallpaper_lang.ini
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\language\es_es\wallpaper_lang.ini
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\language\pt_br\wallpaper_lang.ini
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\language\tr_tr\wallpaper_lang.ini
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\language\zh_tw\wallpaper_lang.ini
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\layout\default\dp_appwnd.xml
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\layout\default\msgbox.xml
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\libpng.dll
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\main
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\msvcp100.dll
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\msvcr100.dll
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\ouilibnl.dll
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\plusapp.exe
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\style\wallpaper_style.xml
c:\users\Dell D531\AppData\Roaming\337\337 Wallpaper\TrayDownloader.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-21 to 2013-05-21  )))))))))))))))))))))))))))))))
.
.
2013-05-21 17:04 . 2013-05-21 17:04	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-05-21 17:01 . 2013-05-21 17:01	76232	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C0B168E-8A03-4283-94C8-5B55C9EF7D9D}\offreg.dll
2013-05-20 13:23 . 2013-05-20 13:23	12872	----a-w-	c:\windows\system32\bootdelete.exe
2013-05-20 13:15 . 2013-05-20 13:15	--------	d-----w-	c:\program files\HitmanPro
2013-05-20 13:15 . 2013-05-20 13:25	--------	d-----w-	c:\programdata\HitmanPro
2013-05-19 18:59 . 2013-05-19 18:59	388096	----a-r-	c:\users\Dell D531\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-05-19 18:59 . 2013-05-19 18:59	--------	d-----w-	c:\program files (x86)\Trend Micro
2013-05-19 18:21 . 2013-05-19 18:21	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\Malwarebytes
2013-05-19 18:20 . 2013-05-19 18:20	--------	d-----w-	c:\programdata\Malwarebytes
2013-05-19 18:19 . 2013-05-19 18:19	--------	d-----w-	c:\users\Dell D531\AppData\Local\Programs
2013-05-18 11:34 . 2013-05-18 11:34	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\LavasoftStatistics
2013-05-17 20:24 . 2013-05-17 20:30	--------	d-----w-	c:\programdata\Ad-Aware Antivirus
2013-05-17 20:05 . 2013-05-17 20:05	--------	d-----w-	c:\programdata\Lavasoft
2013-05-17 20:05 . 2013-05-21 16:22	--------	d-----w-	c:\program files (x86)\Ad-Aware Antivirus
2013-05-17 20:05 . 2013-05-17 20:05	--------	d-----w-	c:\programdata\Downloaded Installations
2013-05-17 20:05 . 2013-05-21 16:09	--------	d-----w-	c:\programdata\Search Protection
2013-05-17 20:03 . 2013-05-18 11:34	14456	----a-w-	c:\windows\system32\drivers\gfibto.sys
2013-05-17 20:03 . 2013-05-17 21:01	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\Ad-Aware Antivirus
2013-05-17 19:11 . 2013-05-17 19:11	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\SparkTrust
2013-05-17 19:11 . 2013-05-17 19:11	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\DriverCure
2013-05-17 19:11 . 2013-05-19 18:44	--------	d-----w-	c:\programdata\SparkTrust
2013-05-17 17:56 . 2013-05-17 17:56	--------	d-----w-	c:\program files (x86)\Anvisoft
2013-05-17 17:47 . 2013-05-17 17:47	--------	d-----w-	c:\windows\system32\appmgmt
2013-05-17 15:39 . 2013-05-17 15:39	27648	----a-w-	c:\windows\system32\licmgr10.dll
2013-05-17 14:27 . 2013-05-17 14:27	--------	d-----w-	c:\program files\Enigma Software Group
2013-05-17 14:26 . 2013-05-17 17:48	--------	d-----w-	c:\windows\BCD5545077AC4347B24F654B1189F8D4.TMP
2013-05-17 14:25 . 2013-05-17 14:25	--------	d-----w-	c:\program files (x86)\Common Files\Wise Installation Wizard
2013-05-17 13:36 . 2013-04-10 06:01	265064	----a-w-	c:\windows\system32\drivers\dxgmms1.sys
2013-05-17 13:36 . 2013-04-10 06:01	983400	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-05-17 13:36 . 2011-02-03 11:25	144384	----a-w-	c:\windows\system32\cdd.dll
2013-05-17 13:34 . 2013-01-24 06:01	223752	----a-w-	c:\windows\system32\drivers\fvevol.sys
2013-05-17 13:34 . 2013-03-19 06:04	5550424	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-05-17 13:34 . 2013-03-19 05:04	3968856	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2013-05-17 13:34 . 2013-03-19 05:04	3913560	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2013-05-17 13:34 . 2013-03-19 05:46	43520	----a-w-	c:\windows\system32\csrsrv.dll
2013-05-17 13:34 . 2013-03-19 03:06	112640	----a-w-	c:\windows\system32\smss.exe
2013-05-17 13:34 . 2013-03-19 04:47	6656	----a-w-	c:\windows\SysWow64\apisetschema.dll
2013-05-17 13:08 . 2013-05-17 13:10	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\337 Wallpaper
2013-05-17 12:49 . 2013-05-17 13:07	--------	d-----w-	c:\programdata\eSafe
2013-05-17 12:49 . 2013-05-17 13:06	--------	d-----w-	c:\program files (x86)\Desk 365
2013-05-17 12:49 . 2013-05-17 12:49	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\Desk 365
2013-05-17 12:48 . 2013-05-17 12:55	--------	d-----w-	c:\users\Dell D531\AppData\Roaming\eIntaller
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-03 15:15 . 2013-02-21 21:30	75016696	----a-w-	c:\windows\system32\MRT.exe
2013-04-13 05:49 . 2013-05-17 13:35	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-17 13:35	308736	----a-w-	c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-17 13:35	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-17 13:35	111104	----a-w-	c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-17 13:35	474624	----a-w-	c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-17 13:35	2176512	----a-w-	c:\windows\apppatch\AcGenral.dll
2013-03-01 13:24 . 2013-03-01 13:23	4368720	----a-w-	c:\windows\SysWow64\mfc100u.dll
2013-02-22 10:51 . 2009-07-14 02:36	175616	----a-w-	c:\windows\system32\msclmd.dll
2013-02-22 10:51 . 2009-07-14 02:36	152576	----a-w-	c:\windows\SysWow64\msclmd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R1 aswSnx;aswSnx; [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-05-18 14456]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-17 12:35	1642448	----a-w-	c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-22 14:22]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-22 14:22]
.
.
--------- X64 Entries -----------
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://securesearch.lavasoft.com/?source=f439e2c0&tbp=homepage&toolbarid=adawaretb&v=2_5&u=E76EE8B7297682433480C951968D5B13
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-SearchProtection - c:\programdata\Search Protection\_run.bat
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
ShellIconOverlayIdentifiers-{152C96EB-288E-4EDC-B7C6-D21F8250ADF3} - c:\program files\Bitdefender\Bitdefender SafeBox\safeboxshell.dll
ShellIconOverlayIdentifiers-{342DAA0B-D796-460D-8566-901E08A1CCAD} - c:\program files\Bitdefender\Bitdefender SafeBox\safeboxshell.dll
ShellIconOverlayIdentifiers-{57595DAE-1AE1-4D97-A49E-67CBB53B52DF} - c:\program files\Bitdefender\Bitdefender SafeBox\safeboxshell.dll
ShellIconOverlayIdentifiers-{33816773-98AE-4723-ADE0-EBE54C8B5A67} - c:\program files\Bitdefender\Bitdefender SafeBox\safeboxshell.dll
HKLM-Run-BDAgent - c:\program files\Bitdefender\Bitdefender 2012\bdagent.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2468871 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2487367 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2533523 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2600217 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2656351 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2736428 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2742595 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-21  18:07:49
ComboFix-quarantined-files.txt  2013-05-21 17:07
.
Pre-Run: 49,465,724,928 bytes free
Post-Run: 49,920,872,448 bytes free
.
- - End Of File - - E93F1639D02C3EFA013C8B4130CABE1F


----------



## Rebel

I attempted to follow with the TDSKiller but the format wouldn't work, I tried it on both computers.  It wont open.   Ran Combofix, as you can see, however,
the Virus remains   ......


----------



## johnb35

What do you mean the format wouldn't work?  Please explain.

I need you to post a log that combofix produces but doesn't show you.  Please navigate to c:\Qoobox and in that folder will be a file named add-remove programs.txt.  Open that file and copy and paste the contents in your next reply.


----------



## Rebel

How do I  navigate to   c:\Qoobox    ?


----------



## voyagerfan99

Rebel said:


> How do I  navigate to   c:\Qoobox    ?



Open Explorer and navigate to it....


----------



## Rebel

For some reason tdskiller has installed on my old comp, but can't, so far find
a tds download that will install on the infected comp,  I keep getting a choice of
programs "  choose the program you want tp use to open this file with " 
there are 10 to choose from, none of them looks like the ones to download this kind of program....   I will keep trying with different Tdskiller downloads,
Everything else has downloaded ok so far ....


----------



## Rebel

Did it  !  

Adobe Reader XI (11.0.02)
Google Chrome
Google Update Helper
HiJackThis
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
ShaderMark v2.1
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)


----------



## Rebel

Still trying to get Tds to work, I got it on the comp, when I click on the download I get a pop -up which says "    Compressed Zip Folders "
"  This applicationmay depend on other compressed files in this folder,
for the application to run properly, it is recommended that you first extract all files'   Underneath There is a choice of three commands for me to click 
~ Extract all    ~   Run   ~   Cancel,   Which do I click  !


----------



## johnb35

Download this file and run it.

http://support.kaspersky.com/downloads/utils/tdsskiller.exe


Also, Your uninstall list is pretty short.  Are you by chance hiding what you have installed?


----------



## Rebel

I'm not hiding anything, John,  whatever do you mean !     Purchased both comps ( reconditioned ) off Ebay,  my old Dell is ..... well, Old !      So purchased the one that has now got the virus on it, to replace the old one once it finally gives up and dies.....   Haven't used my latest comp at all, except to test it out briefly, then I put it aside to fall back on at a later date.
Few days ago decided to start using my "new " comp, all nice and fresh and running smoothly....... and it gets this damn virus thingy first time I go to download a freebie ,  .......   oh well   .....


----------



## johnb35

You still haven't ansered my question about tdsskiller.  What do you mean format won't work?

Also please do the following.

Please download* AdwCleaner* by Xplode onto your Desktop.

•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Delete.
•Confirm each time with OK
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


----------



## Rebel

Hi John,  many thanx for your ongoing patience !     Prob is with the Tdskiller, ( incl'your latest link )   When I click on it, a pop up comes up, and instead of the usual option  ~   Run,  as with my other downloads, which work, mostly, without hitch, I get two options,  ~ Open or   ~ Save,   when I click either of these I get another pop - up which says    ~  "  Choose program you want to open file " Beneath is a list of the ten options  -

Adobe reader,  Microsoft office 2010, Notepad,  windows media center,
Windows photo viewer, Internet Explorer, Microsoft word, Paint, Windows Media Player,  Wordpad.

I don't think any of those programmes are suitable.....


~~~~~~~~~

Follow up :

I have just downloaded  ADW cleaner, and clicked  ~ Run, .... well it ran ! 
Then when I clicked on Internet Explorer to send you the report ...... All I got was a blank page !   No Internet, No QVO6 browser,   Nothing !   So what do I do now   ??


----------



## johnb35

Are you downloading the exe or zip version?  I gave you the link to the exe and it should open and run just fine.


----------



## Rebel

I ran the Exe....

Shall I install Firefox  ?   I prefer it to IE,  I deleted these when QVO6 showed up, in attempted to get rid of the virus I got rid of all I could, I will try, and see what happens.



Update :   I am just in the process of running  ~ Spyhunter 4 on my infected
comp.   Spyhunter is, apparently, the only Malware security tool on the ~ Planet to totally ZAP Super nasties like QVO6 !  When I ran Spyhunter yesterday, it stated there were 27 QVO6 infections,  plus 2 Bekko,  1 Softonic....  2 Adtech, 11 Atwola and numerous other .......  "delights "   

I dunno, frankly, I got a bit of a sneaky suspicion about Spyhunter,  quite aside from the fact, that they have an ~  Autopayment clause, which makes me wonder if once you purchase their service, you'll NEVER stop paying !

Another thought I had was,  as no one else can totally eradicate QVO6...
I was wondering if maybe, Spyhunter..... erm, created it  !   Read somewhere that Spyhunter had somewhat of an  " aggressive " selling streak in the past.... So, just maybe, this is one hell of a clever, sales ploy, eh !   Wouldn't surprise me .....


 Is anyone here clued up on the long term activities / goals of Spyhunter   ?

Spyhunter is still in the process of scanning my files ...... Detected 94 threats
so far  ......  Seems a little dubious to me, as that comp has been hardly used, only been on the internet with it half a dozen times, not even a full hour, total   .......


----------



## johnb35

spyhunter is junk.  I still don't understand what the issue is here with tdsskiller.  Is it just your home page that has changed?  You can change that manually back to whatever you want.  Can you download teamviewer on your infected pc and then I can access it and see what is going on?  I would need your id number and password it assigns to you which you can email me.  If you want to do this, just let me know.

Get teamviewer here.

www.teamviewer.com

Click where it says download free for private use.


----------



## Rebel

Managed to claw my way back into internet land.....  just about !   I clicked on Google Chrome,  which was on my desktop when I received the laptop.  Here's the log   :


# AdwCleaner v2.301 - Logfile created 05/22/2013 at 16:51:57
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Dell D531 - DELLD531-PC
# Boot Mode : Normal
# Running from : C:\Users\Dell D531\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R10QYCO9\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla FireFox\searchplugins\qvo6.xml
File Disinfected : C:\Users\Dell D531\Desktop\Internet Explorer (64-bit).lnk
File Disinfected : C:\Users\Public\Desktop\Google Chrome.lnk
Folder Deleted : C:\Program Files (x86)\Desk 365
Folder Deleted : C:\ProgramData\eSafe
Folder Deleted : C:\ProgramData\search protection
Folder Deleted : C:\Users\Dell D531\AppData\Roaming\Desk 365
Folder Deleted : C:\Users\Dell D531\AppData\Roaming\eIntaller
Folder Deleted : C:\Users\Dell D531\AppData\Roaming\Mozilla\Firefox\Profiles\67oucfld.default\jetpack

***** [Registry] *****

Data Deleted : HKLM\...\StartMenuInternet\Google Chrome [(Default)] = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" hxxp://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=FUJITSUXMHZ2080BHXG2_K60ZT8425Y2ET8425Y2EX&ts=1368795320
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKLM\Software\Desksvc
Key Deleted : HKLM\Software\qvo6Software
Key Deleted : HKLM\Software\V9
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Dell D531\AppData\Roaming\Mozilla\Firefox\Profiles\67oucfld.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "qvo6");
Deleted : user_pref("browser.search.order.1", "qvo6");
Deleted : user_pref("browser.search.selectedEngine", "qvo6");

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Dell D531\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.28] : keyword = "qvo6",
Deleted [l.31] : search_url = "hxxp://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=FUJITSUXMH[...]
Deleted [l.1900] : urls_to_restore_on_startup = [ "hxxp://securesearch.lavasoft.com/?source=f439e2c0&tbp=homepag[...]

*************************

AdwCleaner[S1].txt - [2749 octets] - [22/05/2013 16:51:57]

########## EOF - C:\AdwCleaner[S1].txt - [2809 octets] ##########


----------



## johnb35

Ok, that explains it.  It was an addon for firefox.  

Now back to my one question about your installed programs.  You seem to have lavasoft and avast installed but they don't show up in your installed programs list.  I can't help you correctly if I can't get accurate info from you.  

How's the system running now?


----------



## Rebel

Lavasoft comes up as a search engine, at times, but mostly QVO6 comes up, I didn't choose either of these, it's all just one big confusion of labels far as i'm concerned...   As for Avast, i didn't realise it was there, it's not on my desktop,nor in my programs list.  I'm not a comp expert,  I report what I believe to be true,  if I mess up, I apologise, but it is not deliberate.....

Well I didnt much like ~ Google Chrome,  so decided to reinstall ~ Firefox, which is one of my favourite browsers.  I chose the latest version, and was VERY careful to make sure I didn't download any nasties with it .......  As I got that total ~ Blank, screen earlier, I believed, QVO6 was gone for good....... 

However  when Firefox installed, just a few minutes ago,  QVO6 raised it's ugly tentacles of doom back onto the screen again ....


----------



## johnb35

Check your add-ons for Firefox and see what's installed.  You should let me connect to your system.  Its possible the OS is corrupt and you need to reinstall.  Your uninstall list isn't complete like I said.


----------

