Hi ellyquim.
That sounds cool, but I think we should be able to remove it manually and then put stuff in place to keep it from recurring.
Please copy and paste the following instructions into a Notepad file (.txt) and save it to your desktop. Then you can have the file open in safe mode.
Boot into safe mode, under your normal user name (not the administrator account). See how
HERE.
Run HijackThis with no other programmes open except Notepad. Place a tick in the box next to the following entries (if there):
Only fix the following R1 entry if you didn't set this proxy yourself or you don't know what it is.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.192.59.18:8080
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll
O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)
Click the Fix Checked button. Close HJT.
Now reboot into normal mode.
1. Please download The Avenger by Swandog46 from
HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and ComboFix logs, and an AVG Anti-Spyware log if you can.
Regards
This thread is for the use of HNS only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.