Malware in C-Windows-temp and maybe in the MBR. All common removal tools failed

[jowo]

I tried your ark.cmd and GMER started, but unfortuntely it hang up after about the same scanning time as it did earlier (when I started it directly...) only difference:
this time the bluescreen  said, that the system was shut down to prevent further damage "DRIVER_IRQL_NOT_LESS_OR_EQUAL"

so sorry no log...

Any clues ?

[Dr Jay]

Ouchie...

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[jowo]

this scan went far better but supposely did not turn up any leads...

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: A589F000
Module End: A596D000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: B445F1CC
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwConnectPort
Address: 8AC19140
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: B445F206
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwOpenProcess
Address: B445F51A
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwOpenThread
Address: B445F3F6
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwProtectVirtualMemory
Address: B445F292
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwSetContextThread
Address: B445F18E
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwTerminateProcess
Address: A5AE90B0
Driver Base: A5AE0000
Driver End: A5B05000
Driver Name: \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.sys

Function Name: ZwTerminateThread
Address: B445F316
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

Function Name: ZwWriteVirtualMemory
Address: B445F34E
Driver Base: B445E000
Driver End: B4468000
Driver Name: \SystemRoot\System32\drivers\pxrts.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\mshcmd.sys.
Status: Hidden

----------------------------------------------------------------------------
In general the Pc runs quite okay; my "active desktop" background picture is deactivate after each boot up....

What would be next ? Thanks again for your patience...
 

[Dr Jay]

Enable the viewing of Hidden files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Show hidden files and folders option.
• Deselect the Hide file extensions for known types option.
• Deselect the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

=====

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
mshcmd.sys
atapi.sys


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[jowo]

I'm using those settings anyway ; I hate when Windows hides stuff, especially the option "hide extension of known file types" makes no sense and is dangerous...


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:55 on 06/02/2010 by Wolz (Administrator - Elevation successful)

========== filefind ==========

Searching for "mshcmd.sys"
No files found.

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys   --a--- 96512 bytes   [23:59 30/01/2010]   [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys   ------ 96512 bytes   [00:10 14/04/2008]   [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

[Dr Jay]

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

[jowo]

Malwarebytes scan with newest version:
(I guess it  only keeps finding that my XP-firewall and update is down (on purpose):

Malwarebytes' Anti-Malware 1.44
Database version: 3699
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06.02.2010 23:08:23
mbam-log-2010-02-06 (23-08-00)_quick.txt

Scan type: Quick Scan
Objects scanned: 130755
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Dr Jay]

Please copy and paste the following in to Notepad:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\LEGACY_WSCSVC

[jowo]

okay, copy & paste into notepad, then save it as *.reg and execute it , right ? since it looks like a regestry hack I jsut want to make sure b4 i mess up soemthing...
thanks.

[Dr Jay]

It rendered incorrectly.

Please copy and paste the following in to Notepad:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
  63,00,73,00,73,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,02,00,00,00,60,ea,00,00
"DependOnService"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,\
  68,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
  02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
  63,00,73,00,73,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,02,00,00,00,60,ea,00,00
"DependOnService"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,\
  68,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
  02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Then, click File > Save as
Save it as fixSec.reg
Choose Save as type: All Files.
Click Save.

Once saved, double-click on the file and merge it in to the Registry.

Reboot your computer.


Let me know if this has helped.

[jowo]

okay, i merged it to the regestry and did a reboot- change: my desktop background was not deactivated this time,
but: I CANNOT access the internet anymore....

Superantispy discovered 2 threads with have been cleared before (or were just not visible....
Malwareantibytes  found nothing.
The files in the WINDOWS/TEMP folder are still there and now have grown in size and number...
My computer seems to be in worse conditions than before...

Since I cannot connect to my wireless router /network storage and do not dare to hook a data stick directly into the infected PC, I did not post the last logs.
but Antispy found : serauth1.dll and serauth2.dll in the system32 folder.

Can you please explain shorty what we are trying to do right now.

Thanks again for your help...


 

[jowo]

I just found out  that that my wirelss router just needed a reboot; so luckily I do have internet connection , it was not affected by the registry-change. Any news from your side ?

[Dr Jay]

Malwareantibytes  found nothing

Good. That was what the Registry tweaking was for.

======

If you want to check again about serauth1.dll and the other one, then please do the following:

Jotti File Submission:

• Please go to Jotti's malware scan
  
  
• Copy and paste the following file path into  the  "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\SYSTEM32\serauth1.dll
• Click on the submit button
• Please post the results (URL) in your next reply.

Note: make sure to re-scan them. I do not want a past result.

[jowo]

status says: 0 of 20 scanners were able to find malware
when I klicked on the URL nothing new came up... maybe I'm doing soemthing wrong...

or maybe you are just looking for this:
http://virusscan.jotti.org/de/scanresult/0c5c39497b8ceca49186d2fa56e00214b49e8f63

but anyways, I just copy and paste the result from the current window in here; it comes up in German and I don't know how to change that...

Dateiname:  serauth1.dll 
Status:  Scan abgeschlossen. 0 von 20 Scannern haben Malware gemeldet.

smae for serauth2.dll 
http://virusscan.jotti.org/de/scanresult/f3ea8e3011bd7d032c5b506b560c12e5b35dd8ff



Untersucht am:   Mo 8 Feb 2010 07:31:23 (CET) Ergebnis-Link

Dateigröße:  1024 Bytes 
Dateityp:  ASCII text, with very long lines, with no line terminators 
MD5:  6c357e764b050783191d443ad4e592a4 
SHA1:  f1f37905fb21851d22abde3704a90e58ba13194 1 



2010-02-07 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-07 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-07 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-07 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-08 Nichts gefunden
  2010-02-08 Nichts gefunden   2010-02-04 Nichts gefunden
  2010-02-07 Nichts gefunden   2010-02-07 Nichts gefunden



 

[Dr Jay]

Ok. Those are false positives then, which is no big deal.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.