Qoologic, Narrator.A, aklsp and more mess

(sigh)

First off, thank you in advance.

I found a recent thread at this site through a search engine which had a similar set of problems as I'm having now. I guess I'm a collector too. :-( As per your tutorial, I'm holding the hjt log until instructed to post as attachment. (I have three since 2am last night, and I think they're all different) Web pages popping up galore, IE errors, and now even blue screens. This all started last night after clicking a link to some runescape tips. I knew the machine was in trouble immediately because of the prompt to change my homepage and the spate of browser windows opening by themselves, error messages, etc. It felt like my computer was holding me hostage, ctrl alt del wasn't even fast enough to stop them and finally to shut down, I had to push the reset, endure the scan disc and finally could shut down.

I did check and post at a couple of other sites, but found nothing in them that came close to fixing some of these particular cooties and have heard nothing back. Some of those bugs dont even come up in search engines, but luckily one did and that's how I found that other thread here at your site.

I did a spybots&d 1.2 scan, my friend told me to update to 1.3. it found a lot but some it said it would fix on reboot and didn't. It said I had CWS and several versions of it, but CWS shredder said the machine was clear. I tried many times to do AdAwareSE, but it's freezing during the delete, even in safe mode. Furthermore, between the first one (around 172 problems) and the second (about 309) it seems to be getting worse no matter what I try.

At first I couldn't run a RAV online scan. Finally I could but it found several problems it couldn't fix. (I copied that, one was Small.nf, Agent.BR and some others) Panda online said it found 2 infections and fixed them, and trend micro said it fixed a Narrator.A one, (via dialog box during that scan) however, at the end, it found quite a few Narrator.A bugs it couldn't fix. I tried Registry Mechanic. It found 2 things and deleted them.. which doesn't seem to have done any good, they came back. I tried Add/Remove on Web Offer, it gives me a page that I'm supposed to tell them why I want to uninstall.

I have worked on this now since 6am this morning, and I'm really losing hope here, not to mention neglecting my volunteer job. I realize people are busy, there's loads of people with computer problems and I will continue to be patient and hope someone can help me here. Luckily, I do have a laptop on dialup next to this desktop on DSL to aid in dealing with this.

Once again, thank you in advance for any assistance

 

Hi Jukes,

Let's see what we can do to help you out!

Please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work these days, but will check back as time permits.

Best

 

hi and thank you so very much, tears o gratitude here. I was in the process of following one of the tutorials (and panicking when symantec found loads even after all the other scans had supposedly fixed some things) when I saw I'd received a reply on this. Something I did cleaned up this latest hjt a little bit, but it's still a mess. Again, thank you!

 

Hi Jukes,

Please download the following tools:

Pocket KillBox

Generic Detection Tool 9X - ME

LSP - Fix

VX2 Finder - Version Msg126 for 9x


NOW:
Please unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log along with a fresh HijackThis Log.

Note that you MUST NOT REBOOT after submitting these logs at the baddies will mutate!

Will try to check back tonight.

PP

 

again, thank you

I was able to follow all the directions without my computer freezing up. Here are the logs and that hjt log looks worse again. Thank you for the warning about rebooting, and I guess the best idea would be to log off the internet for now, so the webpages dont keep stacking up and freeze it up again. I'm grateful for the help and that I have a second computer to deal with this.

 

Hi Jukes,

Before undertaking the following steps, YOU MUST DISABLE SPYBOTSD’s TEA TIMER FUNCTION – It may interfere with the fix below!!!

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.


For this part of the instructions, be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.

Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM\WQNETMGR.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM\ANVAPI32.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM\IFHLPAPI.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea. . . Now, do the same for the rest of them:

C:\WINDOWS\SYSTEM\NLSWAN32.DLL
C:\WINDOWS\SYSTEM\IBMP.DLL
C:\WINDOWS\SYSTEM\WENNET16.DLL
C:\WINDOWS\SYSTEM\locmgr10.dll
C:\WINDOWS\SYSTEM\MZUTILSE.DLL
C:\WINDOWS\SYSTEM\SSTUP4.DLL
C:\WINDOWS\SYSTEM\DXMSSHRN.DLL
C:\WINDOWS\SYSTEM\UIER32.DLL
C:\WINDOWS\SYSTEM\jfproxy.dll
C:\WINDOWS\SYSTEM\OKCACHE.DLL
C:\WINDOWS\SYSTEM\CNFG95.DLL
C:\WINDOWS\SYSTEM\SAIMGVW.DLL
C:\WINDOWS\SYSTEM\vx1x.nls
C:\WINDOWS\SYSTEM\vx1.nls
C:\WINDOWS\SYSTEM\vx0.nls
C:\WINDOWS\SYSTEM\vx2.nls
C:\WINDOWS\SYSTEM\vx2x.nls
C:\WINDOWS\SYSTEM\vx3.nls
C:\WINDOWS\SYSTEM\vx3x.nls


Now, Copy and Paste C:\WINDOWS\SYSTEM\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .


NOW, you will be entering more items into Pocket KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


C:\RECYCLER\Desktop.ini
C:\WINDOWS\wsxsvc
C:\WINDOWS\vmss
C:\WINDOWS\gannhn.dll
C:\WINDOWS\azoieo.dll
C:\WINDOWS\qpzlhz.exe
C:\WINDOWS\pgylcy.dll
C:\WINDOWS\kyivwi.exe
C:\WINDOWS\vqawpa.dat
C:\WINDOWS\Start Menu\Programs\StartUp\nyukhu.exe


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A0B89273-1433-4F9B-9857-B26863F98AED}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Now:
DoubleClick on the fixvx2.reg file you made and follow the prompts to allow it to merge the registry entries into the registry.


NEXT:
Please scan with HijackThis and Check the Boxes for the following, IF FOUND:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kyivwi.exe
O4 - Startup: nyukhu.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.systemaxpc.com ---> Is this the desired setting?

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
Be sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.


Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up!

Let me know about any problems that you may have run into completing the above! Been very busy lately, but I will try to check back when time permits.

PP

 

hi

I am using my laptop with your instructions on it, and working on the desktop comp. This is a good reason why I refused to chain these together, so there is no link to them. Plus, the laptop is portable and on dialup and I could wipe it's drive if ever needed. Not a good option for the desktop one though.

Anyway, with this:

It did give the confirmation, it never did ask me if I wanted to reboot. With any of them at all in the killbox section.

On this:

only the UserAgent$ Button was on the right side. I clicked it and a dialog box asked me if I wanted to delete that string. I hope I guessed correctly to click on "yes".

I figured I better post this now, in case something isn't going right so far. Hopefully the right next step would be to continue after the reboot. I will watch this thread just in case it isn't. (two hands, two computers.. whee)

thank you!

 

uh oh. I did every step as you'd listed. I even had someone on the phone reading it along with me, helping double check and for moral support, and one online as well.

I still see it in the hjt log.

Maybe something in what I'd posted before was not correct afterall?

and

and on this:

yes, and I didn't check it.

My continued gratitude for your assistance!

 

further ooooh nooooooooo...

Just after posting my last reply and logs, I had it all start happening. Even some other dialog box wanting to know if I want to install (whatever it was).

Here's a new hjt log in case it changed, which after what I saw, I dont doubt.

 

(posted from laptop)

I'm trying the entire process again. (and hoping this isn't the wrong move) Before this, I was able to run AdAware successfully. (finally, but it wasn't via the easy way. I did the deletes in smaller batches, and eventually it ran clear) The desktop computer hasn't been online since what happened last night, and unless there is something new to download, I hope I can keep it offline until this is all cleared. Also, I figured when I did have it online, it was better not to use IE or surf with it, and using one isp screen name on it, and a different screen name on the laptop, I messaged links from the laptop to the desktop. (one way only)

On this new attempt, in the killbox section, I'm attempting to copy one item from the list I have on wordpad, closing wordpad, pasting to the box, following the directions and then opening the wordpad to copy the next one. When I did this before, I did keep the wordpad open as I copied each file. It's still giving a confirmation for each, but not asking if I want to restart.

I hope for success.

a clarification I'd forgotten to address before:

Because I had just installed this, I wasn't sure how to use this version. I looked and poked around, but it wasn't immediately apparent HOW to disable that, so I uninstalled that version, and put in a fresh install of 1.3 without that Tea Timer function.

I also wondered about something:

Was the LSP - Fix extraneous? I looked back carefully over the process you listed and didn't see it.

Thank you again

 

(posted from laptop) I think the last attempt was successful, and will post the logs as attachments shortly from the desktop computer and hopefully you'll confirm that, (crossing fingers and hoping as a small smile starts to emerge)

Though I've dealt with malware removal before (and some pretty heinous virii on another machine) I feel this latest was more like PhD in the higher education of computer problems

 

(posted from desktop)

Okay PhilliePhan, here's hoping these are clear... the hjt looks clear to me.

and again, my eternal gratitude for your help!

 

I stayed online for a bit, and then went offline. Ran spybot, it's clear. Ran adaware and all it found were my notepad and wordpad entries, deleted them. However, I am a bit concerned that when I did Start/settings/add remove/ Microsoft IE 6.0 SP1 in order to repair IE, it hung up several times. (which it's never done before) In my ctrl alt del I noticed something I've not seen before. Something called Grpconv had several entries, and four of them were "not responding".

 

WOW! You've been busy!

Give me some time to look at all this - I'll try to post back this evening when on different computer and more free time!

Let me quickly address 2 of your previous questions:

1 - Pocket KillBox WILL prompt you to reboot after entering an item to be replaced or deleted on reboot. Make sure you didn't just check "Standard File Kill." What version of Pocket KillBox do you have? Did you get it from the link I provided?

2- We may not need LSP-Fix, but I wanted you to have it handy just in case.

This infection is particularly difficult to remove from Win 98 / SE systems - Much easier with XP!! It may take a number of steps. Please do not do anything other than what I ask or it will just confuse me! Such as this:

However, I am a bit concerned that when I did Start/settings/add remove/ Microsoft IE 6.0 SP1 in order to repair IE, it hung up several times.

Why are you doing this now in the middle of the removal procedure?

Please post me a fresh HJT Log and a fresh Find.bat Log and then do nothing until I check back tonight! This baddie MUTATES and is hard to pin down.


ALSO: Note that I made a small error in previous instructions - Please TURN OFF SYSTEM RESTORE until we get you cleaned up! Please do this now.


Looking at your last two logs, looks like some progress was made! There are still a few items that need to go . . . Attach the fresh logs I asked for and we'll knock those out!

PP

 

Even busier than I'd shared earlier. My AOL suddenly had a problem, and I'd see this screen name disappear on my laptop buddy list, yet on the desktop... I'd still be shown as connected. (til I'd try to post something and get a 'cant find the page' error)

Reinstalled the AOL.

Got one IE crash, and iExplore error message. Decided to reinstall IE 6.0 SP1.

Had trouble trying to open the game www.runescape.com, and the graphics wound up all over my desktop rather than in the window. Uninstalled the sunjava, and correctly (their information) installed what wound up to be a new version of it.

that's understandable, no problem. Gotta try to catch up on all that I ignored yesterday (to my kid, you need how many valentines tomorrow morning?) to the staff member where I assist members voluntarily (sorry I didn't get back sooner, malware problem) and to last night's dinner that I plum forgot to eat.

Followed your directions exactly with the first set to replace on reboot and use dummy, and with the second set to delete on reboot, and didn't reboot until all the files had been entered. I checked with each paste that it was the correct setting. I downloaded Killbox from the link you posted and this was version 2.0.0.76 (not the most current?)

cool, I was hoping that would be the answer.

oops, and looking at my first paragraph... more oops. Serious mistakes on my part and I'm very sorry. I was elated with seeing none in the hjt log, and stupidly thought it was clear. I also didn't realize that WinME is considered still a Win98 or Win98SE system.

I turned that off at the first sign of trouble when this first hit. It's been off since then. Even though it wasn't in the instructions, I did check to be sure it was off.

I will do so as quick as I can, I truly hope paragraph 1 didn't mess things up worse (I'm soooo sorry) Other than those two logs when I get back from a quick store trip, I promise faithfully not to do a thing to this machine until you tell me to, to do all you instruct, in the order and until you say this machine is clear of this. I will also remember from now on to never let my ambition get ahead of guidance on a matter like this, and to wait for an "all clear" before any other updating.

Back shortly with those

 

Here's the logs

 

Hi Jukes,

Just a few more items to delete! I'll just copy&paste from old instructions.


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


For this part of the instructions, be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.

Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM\DUTMSFT.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and PasteC:\WINDOWS\SYSTEM\SSTUP4.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM\DXMSSHRN.DLL into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, do the same for the rest:

C:\WINDOWS\SYSTEM\UIER32.DLL
C:\WINDOWS\SYSTEM\MRANG.DLL


Now, Copy and Paste C:\WINDOWS\SYSTEM\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .


NOW, you will be entering more items into Pocket KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


C:\RECYCLER\Desktop.ini
C:\WINDOWS\wsxsvc
C:\WINDOWS\vmss


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.

Attach fresh logs and we'll see if it is all gone!

I've got to go back to work, so don't know when I can check back.

PP

 

I followed every instruction to a T.

Again, it did not prompt me to reboot at any time.

Here's hoping and thank you

 

These are proving problematic! Please boot to Safe Mode and feed these to Pocket KillBox and delete them using Standard File Kill:

C:\WINDOWS\SYSTEM\wsxsvc
C:\WINDOWS\SYSTEM\vmss
C:\WINDOWS\SYSTEM\SSTUP4.DLL
C:\WINDOWS\SYSTEM\DXMSSHRN.DLL

Then Navigate to where the would be and make sure they are gone. If any remain, try KillBox again and use the Delete on Reboot option.

Let me know how you fare.

PP

 

They're gone.

 

They're still gone.

 

Then you should be OK now. Are things running well now or are there still some issues?

Go ahead and attach two fresh logs just to be on the safe side!

I noticed in one of your threads at CastleCops that all they did was remove the registry entry for O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\JUCRD.EXE to keep it from loading.

You should look in Program Files for ISTsvc folder and remove it if it remains. C:\Program Files\ISTsvc

Will check back when time permits.

PP

 

Hi,

No, I'm still getting IE pages popping up by themselves, (even when I am not using IE at all) and when I was here (on the desktop computer) before, reading your reply and instructions, I got some IE webpage that popped up with what it claimed was a spybot warning, and I must have clicked the wrong button on the permission function. I just noticed something in the hjt log that worries me which might be a result of this. (like I need more of that)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

Ever since that happened, when I am trying to answer in an AOL IM (which I send by hitting TAB and then ENTER), this no longer sends the message in the IM but maximizes a window out of my toolbar instead. Very frustrating. Also, while I was doing the Killbox, I noticed my cursor would show up elsewhere other than where I was in the process of double clicking. (example: while opening the document that I had the file names in, it would jump over to the EXIT button on the program)

Just that things are no longer working the way they were prior to the incident on the 9th that brought me here posting for help.

Gee, now all of a sudden, I can TAB ENTER again to send an IM message. This is truly frustrating.

I just tried to sign on to www.runescape.com and it just wont work. The graphics go all over the place again, and clicking on the login button wont work. I click, but it doesn't bring up the next screen. Then a few minutes later, the log in box will appear in a completely inappropriate place, (such as just now, in the middle of this post I'm typing) yet I cannot type in it, nor get it to go away unless I use ctrl alt del, and close the runescape window, which sometimes zaps away all other IE windows in my toolbar. (I'm using AOL browser to post this message). I've not tried any of the pogo games yet, or much else on this computer because of what's still happening with those IE pages opening up by themselves.

I've included the logs in the attachments.

I did look and didn't find that. I may have removed it the other day before I posted here in my fevered panic to fix my machine.

Also, there are a couple of things in this hjt log that I would love to just get rid of:

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Unless they're absolutely necessary.

Thank you again and will check back frequently for any further instructions

 

I am not sure about the IE problem. Could be a number of things unrelated to Malware. This HJT line is OK - It is SpybotSD. You should enable the "Immunize" feature and set it to "Block all bad items Silently."

I don't use AOL or do any Instant Messaging . . . I'm an old fart, I know - LOL! So, not too familiar with those issues.

Again, another issue that may be unrelated to malware or a product of your "fevered panic to fix my machine. "- Though not from the few things we have removed lately.

I'm not sure I can help here . . . May not be a malware problem and malware is my real area of expertise.

These are all non-essential. You may remove them if you so desire.

Happy to at least try to help

You forgot to attach the logs - I'll look for them when I check back. May go out tonight, so might have to check back in the wee hours or Saturday evening.

PP

 

my apologies. My child fell and smacked her head just after I posted my reply. I didn't notice that the logs didn't attach until just now, and I couldn't edit, so I'll try to attach them again, and hope this time it works.

 

I just did a RAV scan and it says:

Scan started at 2/11/2005 5:36:39 PM

Scanning memory...
c:\WINDOWS\SSK_B5.EXE - TrojanDropper:Win32/Small.NF -> Infected
c:\WINDOWS\SYSTEM\akupd.dll - TrojanDownloader:Win32/Agent.BR -> Infected
c:\WINDOWS\SYSTEM\akrules.dll - TrojanDownloader:Win32/Agent.BT -> Infected
c:\WINDOWS\SYSTEM\aklsp.dll - TrojanDownloader:Win32/Agent.BR -> Infected
c:\My Documents\Spyware elimination\regmech21.exe->[inno.4] - Backdoor:Win32/Khazana.A -> Infected

Scanned
============================
Objects: 55771
Directories: 3198
Archives: 1578
Size(Kb): -1688117
Infected files: 5

Found
============================
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 147

 

Both of your logs are clean.

c:\WINDOWS\SYSTEM\akupd.dll
c:\WINDOWS\SYSTEM\akrules.dll
c:\WINDOWS\SYSTEM\aklsp.dll
These are VX2 related and should be removed!
Also, look in your Windows directory fo a Folder named Bundles and remove it as well, if found.

c:\WINDOWS\SSK_B5.EXE ---> Surf Sidekick needs to go as well

I am not familiar with the last one off the top of my head.

PP

 

So far, so good, and thank you very much PhilliePhan!

 

You're very welcome!