Ok, follow these instructions exactly.
Download LSPFix from
http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of cirywofylnvba.dll and rsvp32_2.dll in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer and reconnect to the net.
1. Please download The Avenger by Swandog46 from
HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how
HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how
HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
KuGoo2
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
MSDN Driver (msdndr)
<Disable the service name and/or the name in brackets.
Close the services window.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Fix all O1 - Hosts: Entries.
O2 - BHO: (no name) - {514CB15B-6CB4-6F10-5E9E-256DE8B02317} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {8731DA43-3A6B-DFC7-4924-B93ED9BA71EC} - (no file)
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -
http://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -
http://mlslink.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) -
http://mlslink.mlxchange.com/Control/IRCSharc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{105824B1-0655-4D30-990F-C7730AFC4EB4}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7C4F64-90F7-4511-8D63-E4C78D75AD69}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE34D40-FA1D-4CDB-948A-B363292C703E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD0BCDE-95F9-440F-BBB1-78956550D193}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34D7CB5-2F06-4350-9848-0FF3447ABC51}: NameServer = 151.11.169.10
Only fix the above 017 entries if they don`t belong to your ISP.
Fix all O18 - Protocol: Entries.
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst3.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif
Click on the fix checked button.
Close HJT.
Locate and delete the following
bold files and/or directories(if there).
C:\Program Files\
KuGoo2<Delete the entire folder.
Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log from normal mode if you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.