You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
1. Please download The Avenger by Swandog46 from
HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how
HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how
HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
Viewpoint
Viewpoint Manager
Video Access ActiveX Object
SpyDawn
SystemDoctor 2006 Free
Close control panel.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
ViewMgr.exe
SpyDawn.exe
dcmon.exe
regscan.exe
isamntr.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://aimtoday.aol.com/today/aimtoday.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*
http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\shdocvs.dll
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {ea6386c4-dd77-423b-b04d-09d213ad1c28} - C:\WINDOWS\system32\DSAUEST.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video Access ActiveX Object\iesplugin.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SpyDawn] C:\Program Files\SpyDawn\SpyDawn.exe /h
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video Access ActiveX Object\isamntr.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: DSAUEST - C:\WINDOWS\SYSTEM32\DSAUEST.dll
O22 - SharedTaskScheduler: apathies - {aed6f6a3-183c-488d-9f90-23db99f56e7f} - C:\WINDOWS\system32\geplxss.dll (file missing)
Click on the fix checked button.
Close HJT.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards Howard
This thread is for the use of katzmark06 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.