24 replies to this topic

[Piatan]

Hi sawjai;

Close, but no cigar yet. I had to leave some, because the instructions for all the fixes were conflicting.
Just too much malware to deal with all at one time. The first fix had to be done before all others, or it would have just kept adding more Malware and it does not seem to be removed yet.

Please print these instructions, or copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy and save the contents of that log, to be posted into this thread later.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

Next:
Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

• At this point press enter one time.
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):[list]C:\WINDOWS\system32\pmkjk.dll

[*]Press Enter to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

[*]At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\kjkmp*
[*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.

In HiJackThis, please place a check next to the following items.

R3 - URLSearchHook: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
O2 - BHO: ADOUsefulNet Object - {7CB093AC-11DF-46D5-9343-CE4BD90C159C} - C:\WINDOWS\system32\pmkjk.dll
O4 - HKCU\..\Run: [Lapt] "C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqnarmb] C:\WINDOWS\?dobe\n?pdb.exe
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} -
C:\WINDOWS\system32\dcom_14.dll

The following are recommended fixes:
Please note: This is a Program, so must also be uninstalled in Control Panel--Add/Remove Programs. Note: the Program is AWS.
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Click on Fix Checked when finished.

[*]After you have fixed these items, close Hijackthis.
[*]Press enter to exit the program then manually reboot your computer.
[*]Once your machine reboots please continue with the instructions below.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them, if still there:
C:\WINDOWS\?dobe\n?pdb.exe

C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe

C:\WINDOWS\system32\l28mlcl11fq.dll
C:\WINDOWS\system32\kdpi.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\dcom_14.dll

winjjq32 - winjjq32.dll

Note: The following is an OPTIONAL removal.
C:\Program Files\AWS\WeatherBug\Weather.exe

Then, please reboot into Normal Mode.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log, the vundofix.txt file from the vundofix folder and the L2Mfix log, into this topic.

Please use the Add Reply feature to reply, so I will be notified.

[sawjai]

Active Scan Results:

Incident Status Location

Spyware:Cookie/go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt[]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Chris\Application Data\Sskcwrd.dll
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Chris\Application Data\??stem32\mshta.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Chris\Cookies\chris@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Chris\Cookies\chris@adopt.hbmediapro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Cookies\chris@c5.zedo[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Chris\Cookies\chris@cassava[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Chris\Cookies\chris@targetsaver[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Chris\Cookies\chris@winfixer[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Cookies\chris@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\Cache\3EFBEAA3d01[Process.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\8XMZC5QZ\!update-3595[1].0000
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\myiadmin\Application Data\Mozilla\Firefox\Profiles\uoaz42lb.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@adrevolver[3].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@belnk[1].txt
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@date[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@doubleclick[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@perf.overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@realmedia[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@trafficmp[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@winfixer[2].txt
Spyware:Cookie/Maxifiles Not disinfected C:\Documents and Settings\myiadmin\Cookies\myiadmin@www.maxifiles[1].txt
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Documents and Settings\myiadmin\Local Settings\Application Data\Mozilla\Firefox\Profiles\uoaz42lb.default\Cache\3D103E1Ed01
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@adopt.hbmediapro[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@ask[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@azjmp[2].txt
Adware:Adware/DollarRevenue Not disinfected C:\gimmygames9.exe
Adware:Adware/Maxifiles Not disinfected C:\mc-110-12-0000228.exe
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-329068152-527237240-682003330-1004\Dc4.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload2.dat
Adware:adware/troyanov Not disinfected C:\WINDOWS\system32\dcom_14.dll
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:adware/webhancer Not disinfected C:\WINDOWS\whCC-GIANT.exe

Logfile of HijackThis v1.99.1
Scan saved at 10:55:02 PM, on 2/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\?dobe\n?pdb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
O2 - BHO: ADOUsefulNet Object - {7CB093AC-11DF-46D5-9343-CE4BD90C159C} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Lapt] "C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqnarmb] C:\WINDOWS\?dobe\n?pdb.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\pmkjk.dll

The second filepath entered was C:\WINDOWS\system32\kjkmp*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 144 'smss.exe'

Killing PID 904 'explorer.exe'
Killing PID 904 'explorer.exe'
Killing PID 904 'explorer.exe'


Killing PID 216 'winlogon.exe'
Killing PID 216 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\pmkjk.dll Deleted sucessfully.
C:\WINDOWS\system32\kjkmp* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 432 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 504 'winlogon.exe'
Killing PID 504 'winlogon.exe'
Killing PID 504 'winlogon.exe'
Killing PID 504 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1400 'explorer.exe'
Killing PID 1400 'explorer.exe'
Killing PID 1400 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkjk]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\pmkjk.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l28mlcl11fq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjjq32]
"Asynchronous"=dword:00000001
"DllName"="winjjq32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/05DBA331-9A00-4969-8057-D94F1F48D407.reg (212 bytes security) (deflated 70%)
adding: backregs/240246AE-70EB-4CE3-86EC-25300A8A5009.reg (212 bytes security) (deflated 70%)
adding: backregs/CC7AAB97-852A-460D-94BE-DF24897EBE4C.reg (212 bytes security) (deflated 70%)
adding: backregs/EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)



I followed your directions but as for deleting files and folders, I couldn't delete C:\WINDOWS\system32\dcom_14.dll because it said "Cannot delete dcom_14.dll: Access is denied.
Make sure the disk is not full or write protected and that the file is not currently in use." I was able to delete C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe and the rest was not found. I'm not sure what you meant by "winjjq32 - winjjq32.dll" though.

[Piatan]

Hi sawjai;

Please copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Please give special attention to the instructions in RED.

Please set your system to show all files; please see here if you're unsure how to do this.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.

R3 - URLSearchHook: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
O2 - BHO: ADOUsefulNet Object - {7CB093AC-11DF-46D5-9343-CE4BD90C159C} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O4 - HKCU\..\Run: [Vqnarmb] C:\WINDOWS\?dobe\n?pdb.exe
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll

Click on Fix Checked when finished.

Reboot into Safe Mode. see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them, if they are still there:

C:\WINDOWS\?dobe\n?pdb.exe

C:\WINDOWS\system32\kdpi.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\l28mlcl11fq.dll
C:\WINDOWS\system32\dcom_14.dll

While remaining in Safe Mode do an All Files search for the following and delete it.
winjjq32
If you were unable to find, or delete any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Boot into SAFE MODE:
To restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Next:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

(When finished, remember to return and place a check on "Hide protected operating system files" Click Apply and then OK.)

Then, in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\(EVERY Listed USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Also delete "COOKIES". Click Apply then OK.

Then reboot into NORMAL MODE.

Then, enable hidden files and post a fresh Hijack This log in this topic.

Please use the Add Reply feature to reply, so I will be notified.

Note: Please do not edit the new HJT log. We need to see the entire log, without revisions.

[sawjai]

Logfile of HijackThis v1.99.1
Scan saved at 4:21:03 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Lapt] "C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe


I did a search for "winjjq32" but found nothing. As for PocketKillbox, I followed your directions but when it was time for the reboot an error message popped up saying "PendingFileRenameOperations Registry Data has been Removed by External Process!" I don't know what that means but I manually rebooted.

[Piatan]

Hi sawjai;

Good work!!! It looks like there is only one remaining, which we have not been able to remove.

Please set your system to show all files; please see here if you're unsure how to do this.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.

O4 - HKCU\..\Run: [Lapt] "C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe" -vt ndrv
Click on Fix Checked when finished.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them:
C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe

If you have any problem deleting the file above,remain in SAFE MODE,
Right click on the file and select properties.
Use the security tab to take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
sqlneee.dll>bleh.txt
bleh.txt > badfile.111

You may also want to make sure that "read only" attributes is not checked, if you haven't already.
Once you have successfully deleted the file restart into Regular Windows mode.


Reboot , enable hidden files and post a fresh Hijack This log in this topic.

Please use the Add Reply feature to reply, so I will be notified.

[sawjai]

Logfile of HijackThis v1.99.1
Scan saved at 5:39:20 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe


how do i look?

[Piatan]

Hi sawjai;
I'm sure you look quite dapper in your spats...Oh! You meant your HJT log.

Congratulations, your Hijack This logfile is clean. Wasn't that fun ?


Now, lets get some additional protection on that machine.

One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  
  Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
  -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing.

[sawjai]

Thank you so much. You've been a tremendous help.

[Piatan]

You're welcome. Glad to be of assistance.

[Piatan]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php