Unzip to the following location:
C:\Qoofix (Use your local hard drive letter if it is different).
Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
Finally, select Begin Removal and the removal process will commence.
A reboot may be necessary if an infection is found.
Please download the
KILLBOX, extract it to your desktop.
Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box
Delete on Reboot.
Highlight the entries in
Bold text below and then copy them.
C:\WINDOWS\system\svchost.exe C:\WINDOWS\system\svchost32.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click
Yes.
A second message will ask to Reboot now? you will need to click
No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the following:
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe O4 - HKLM\..\Run: C:\WINDOWS\system\svchost.exe O4 - HKLM\..\Run: C:\WINDOWS\system\svchost32.exe The "O6" entry below is typical when the user has employed the use of Spybot Search and Destroy's administrative lockdown feature. If you know with certainty that you DO NOT use this feature, then check this one too: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Are you using the server in New Delhi India? If not, please put a check next to these "O17" entries too: O17 - HKLM\System\CCS\Services\Tcpip\..\{1BBAD990-6C34-4927-B1D9-CC73A187D9F2}: NameServer = 202.56.250.5,202.56.230.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{1BBAD990-6C34-4927-B1D9-CC73A187D9F2}: NameServer = 202.56.250.5,202.56.230.5 O17 - HKLM\System\CS2\Services\Tcpip\..\{1BBAD990-6C34-4927-B1D9-CC73A187D9F2}: NameServer = 202.56.250.5,202.56.230.5
1972vet
3.3K Posts
0
March 8th, 2007 03:00
Unzip to the following location:
C:\Qoofix (Use your local hard drive letter if it is different).
Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
Finally, select Begin Removal and the removal process will commence.
A reboot may be necessary if an infection is found.
Please download the KILLBOX, extract it to your desktop.
Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box Delete on Reboot.
Highlight the entries in Bold text below and then copy them.
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system\svchost32.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the following:
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: C:\WINDOWS\system\svchost.exe
O4 - HKLM\..\Run: C:\WINDOWS\system\svchost32.exe
The "O6" entry below is typical when the user has employed the use of Spybot Search and Destroy's administrative lockdown feature. If you know with certainty that you DO NOT use this feature, then check this one too:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Are you using the server in New Delhi India? If not, please put a check next to these "O17" entries too:
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BBAD990-6C34-4927-B1D9-CC73A187D9F2}: NameServer = 202.56.250.5,202.56.230.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BBAD990-6C34-4927-B1D9-CC73A187D9F2}: NameServer = 202.56.250.5,202.56.230.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BBAD990-6C34-4927-B1D9-CC73A187D9F2}: NameServer = 202.56.250.5,202.56.230.5
Reboot and post a fresh HijackThis log. Thanks!