Removing Troj.Metajuan.A

Topic:Removing Troj.Metajuan.A

Remainpoint:0

Jerry

PostTime:12/16/2008 11:29:53 AM

Top

Level:

Professional point:

Experience:

Thread:

136

Post:

473

Total online time:

Joined date:

4/19/2007 8:49:00 AM

Last Visit:

4/20/2007 2:38:59 AM

Status:

	Try our remote PC help service to fix your PC instantly(Only cost $19.95)
	Register to make Ads free

Hi all, this is my first post here!

Anyway the thing is, I've gotten the Metajuan trojan. I've managed to remove everything that i got with it except a stubborn file that can't be deleted in my system32 directory that keeps opening pop-ups with stupid ads everytime I use IE. The file is called __c00CD0A.dat and I can't remove it, even in Safe Mode it tells me that another program is using it.

Programs I've tried so far in my attempt to remove it:
HijackThis
AdAware
SuperAntiSpyware
Trend Micro's PC-Cillin 2007
Trend Micro's House Call
SmitFraudFix(which fixed my problem with iesmn.exe, which I also got)

Also I've disabled System Restore. I'll post my HijackThis Log even though I think it's unnecessary since I've removed all that I didn't need myself.

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 08:51:41, on 09-09-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Lycan\LOCALS~1\Temp\Rar$EX00.406\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00CD0A.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Thanks in advance to anyone willing to use their time to try to help me

RAECH

PostTime:12/16/2008 2:18:43 PM

Point:0

# 1

Level:

Professional point:

Experience:

27341

Thread:

272

Post:

945

Total online time:

27341M

Joined date:

4/24/2007 9:26:00 AM

Last Visit:

4/13/2009 10:45:15 PM

Status:

Ok I've done what you've asked me to do here are my logs from SUPERAntiSpyware and HijackThis:

SUPERAntiSpyware Pro:

Quote:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/24/2007 at 10:15 AM

Application Version : 3.9.1008

Core Rules Database Version : 3311
Trace Rules Database Version: 1315

Scan type : Complete Scan
Total Scan Time : 01:24:15

Memory items scanned : 467
Memory threats detected : 0
Registry items scanned : 6427
Registry threats detected : 0
File items scanned : 92380
File threats detected : 48

Adware.Tracking Cookie
C:\Documents and Settings\Lycan\Cookies\lycan@cpvfeed[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@doubleclick[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@yadro[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@sexy****games[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@smileycentral[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@advertising[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@stats1.reliablestats[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@msnportal.112.2o7[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ads.adbrite[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ads1.partnerlogic[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ehg-ads.hitbox[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@statse.webtrendslive[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@login.tracking101[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@mediaplex[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ads.addynamix[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@questionmarket[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@stats.drivecleaner[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ad[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@list[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@adtech[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@server.iad.liveperson[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@pacificpoker[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@cgi-bin[4].txt
C:\Documents and Settings\Lycan\Cookies\lycan@bs.serving-sys[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@hitbox[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@888[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@cgi-bin[3].txt
C:\Documents and Settings\Lycan\Cookies\lycan@serving-sys[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ehg-pcsecurityshield.hitbox[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@www.drivecleaner[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@adbrite[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@media.adrevolver[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@drivecleaner[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@azjmp[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@2o7[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ad.zanox[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@atdmt[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@ad.yieldmanager[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@track.adform[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@rotator.adjuggler[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@cassava[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@dk.drivecleaner[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@fastclick[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@zedo[1].txt
C:\Documents and Settings\Lycan\Cookies\lycan@partypoker[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@specificclick[2].txt
C:\Documents and Settings\Lycan\Cookies\lycan@new-pcp[1].txt

Trace.Known Threat Sources
C:\Documents and Settings\Lycan\Local Settings\Temporary Internet Files\Content.IE5\PKOC2IBW\solution[1].gif

HijackThis:

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 08:53:54, on 25-09-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00CD0A.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Stefan_K	PostTime:12/16/2008 5:19:48 PM	Point:0 \| # 2
Level: 1 Professional point: 91 Experience: 26 Thread: 283 Post: 971 Total online time: 26M Joined date: 4/28/2007 10:46:00 PM Last Visit: 12/17/2008 12:14:45 AM Status:	Download the Trial version of Superantispyware Pro (SAS): http://www.superantispyware.com/supe....html?rid=3132 Install it and double-click the icon on your desktop to run it. It will ask if you want to update the program definitions, click Yes. Under Configuration and Preferences, click the Preferences button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked: o Close browsers before scanning o Scan for tracking cookies o Terminate memory threats before quarantining. o Please leave the others unchecked. o Click the Close button to leave the control center screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive. On the right, under Complete Scan, choose Perform Complete Scan. Click Next to start the scan. Please be patient while it scans your computer. After the scan is complete a summary box will appear. Click OK. Make sure everything in the white box has a check next to it, then click Next. It will quarantine what it found and if it asks if you want to reboot, click Yes. To retrieve the removal information for me please do the following: o After reboot, double-click the SUPERAntispyware icon on your desktop. o Click Preferences. Click the Statistics/Logs tab. o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. o It will open in your default text editor (such as Notepad/Wordpad). o Please highlight everything in the notepad, then right-click and choose copy. Click close and close again to exit the program. Please paste that information here for me with a new Hijack This log.

William

PostTime:12/16/2008 6:15:17 PM

Point:0

# 3

Level:

Professional point:

Experience:

Thread:

115

Post:

438

Total online time:

31M

Joined date:

4/19/2007 8:50:00 AM

Last Visit:

4/20/2007 11:37:29 PM

Status:

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\system32\__c00CD0A.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00CD0A.dat

Reboot and post another Hijack This log please.

Sorry, you are not login, click here to login