Review all instructions below before proceeding.


Run the following tool in SAFE MODE after downloading (save to desktop or print out these instructions):

Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only

It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  Click the Empty Selected button.
  NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Many low risk cookies have been found - in Ewido they were deleted for you; in Panda you must manually delete them yourself or pay for their low cost subscription service.


You appear to have acquired song lyric links with inbedded downloader scripting code.




1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".
3) Then Click the "All Files" button.

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Recycled\Q330995.exe
H:\RISHI2\Vallabh hard dsk\LyriCS\whigfield\Lyrics WHIGFIELD - SEXY EYES Song Lyrics_files\CA01TMN6.htm
H:\RISHI2\Vallabh hard dsk\LyriCS\whigfield\Lyrics WHIGFIELD - SATURDAY NIGHT Song Lyrics_files\CALD7SMN.htm
H:\RISHI2\Vallabh hard dsk\LyriCS\goo goo dolls\Lyrics GOO GOO DOLLS - IRIS Song Lyrics_files\CAEB8P2J.htm
C:\WINDOWS\HELP\CHMRedir.chm
C:\WINDOWS\switchagreement.txt
C:\PROGRAM FILES\COMMON FILES\Totem Shared

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next




BOOT INTO SAFE MODE:

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here



SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Run ATF cleaner

Find and delete all FOLDER occurances of:
CONTENT.IE5

(for infected content located at:
H:\Documents and Settings\Internet\Local Settings\Temporary Internet Files\Content.IE5)




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

Feedback: Ad-aware successfully updated
spybot hasnt updated. maybe they dont have an update.

anyway... u rock, man!!
how do you interpret the hijack this thingy? i'll study this in detail.

heres the latest hijack this log.

i have instructed my mom to install AVG later...

thanks!!

*** log

Logfile of HijackThis v1.99.1
Scan saved at 12:06:46 AM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\QUICKH~1\EmlProxy.exe
C:\PROGRA~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
C:\PROGRA~1\QUICKH~1\OnlineNT.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\CDisplay\CDISPLAY.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {120B8547-2746-BD5C-4AE1-F6D84BE232B1} - Dest068.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4519/mcfscan.cab
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABD13C3D-26F4-4B69-899A-8E5910AC0761}: NameServer = 218.248.255.145 61.1.96.71
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe (file missing)
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: mxkkijbruhkl (oyilofik6) - Unknown owner - C:\WINDOWS\System32\wmyrosah6.exe (file missing)
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - C:\PROGRA~1\QUICKH~1\QHWSCSVC.EXE (file missing)
O23 - Service: Quick Heal Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\QHONSVC.EXE (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe