17 replies to this topic

[dpappa]

I'm very new to all of this, even Forums. I find the directions here confusing. I wish to know where (exactly) to post my Hijack this log, and how to. But I see conflicting directions. I am not even sure where to read an answer to this post. Can someone please advise? Thank you. dpappa

[IndiGenus]

Download a copy of HJTsetup.exe from Here and save it to your Desktop.
Double click HJTsetup.exe to begin installation.*By default it will install to C:\Program Files\HijackThis.
*Continue to click Next in the setup dialog boxes until you get to the Select Addition Tasks dialog.
*Put a check by Create a desktop icon then click Next again.
*Continue to follow the prompts from there.
*When HJT opens, click on the Do a system scan and save a log file button.
*When HJT has finished scanning, a window entitled "hijackthis.log" will open - when you close this window the log will be saved into the hijackthis folder.
Copy and paste this log into your reply by using the Add Reply button on the lower right hand side of the screen. Note: After you click the Add Reply post the entire contents of the HJT log into the text box. Then scroll down and click Add Reply. You can preview what your post will look like by clicking the Preview Post button first. If you're happy with the way it looks then click Add Reply.

Regards,
Dave

[IndiGenus]

Hi Dennis,

Here are the instructions for downloading and running AVG.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop
and double-click it to launch the set up program.
Run AVG Anti-Spyware and update the definition files.
On the main screen select the icon Update then select the Start Update Button. The progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
In the Settings screen click on Recommended actions and then select Quarantine.
Under Reports:
*Select Automatically generate report after every scan
*Un-Select Only if threats were found
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.Reboot your computer into SafeMode. You can do this by restarting
your computer and tap the F8 key just before the loading Windows screen appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or
programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab
then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
*If you have any infections you will prompted, then select Apply all
actions
*Next select the Reports icon at the top.
*Select the Save report as button in the lower left hand of the
screen and save it to a text file on your system (make sure to remember where
you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the
results of the AVG Anti-Spyware report scan along with a new HijackThis log.

[dpappa]

Logfile of HijackThis v1.99.1
Scan saved at 12:34:49 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\WordWeb\wweb32.exe
C:\HIJACKTHIS 1\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.world2search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Worldnet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add Feed to Tristana Reader - res://C:\Program Files\Tristana Reader\Reader.exe/AddContent.js
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I think that "020 Winlogon Notify" is a large part of the problem.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:11:08 PM 3/1/2007

+ Scan result:



C:\System Volume Information\_restore{33944CCD-5B8B-4781-8E9C-3CA5ACCF8CAD}\RP2\A0001741.exe -> Adware.eNSHandle : Cleaned.
C:\System Volume Information\_restore{33944CCD-5B8B-4781-8E9C-3CA5ACCF8CAD}\RP2\A0001743.dll -> Adware.SideSearch : Cleaned.
C:\System Volume Information\_restore{33944CCD-5B8B-4781-8E9C-3CA5ACCF8CAD}\RP2\A0001742.exe -> Adware.SpywareRem : Cleaned.
C:\Documents and Settings\Lab-4\Cookies\lab-4@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1292428093-839522115-1957994488-1004\Dc422.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1292428093-839522115-1957994488-1004\Dc424.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1292428093-839522115-1957994488-1004\Dc425.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1292428093-839522115-1957994488-1004\Dc426.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1292428093-839522115-1957994488-1004\Dc427.txt -> TrackingCookie.2o7 : Cleaned.


::Report end

And here the tracking cookie 207 is right back on there again. Also when I run the AVG AntiVirus,
there is a new file listed as changed that wasn't before the guy worked on it. It is called: "ntoskrnl.exe"
I have a legit copy (the kink Microsoft Employees get he said) that is activated but he used some sort
of his stuff. For this I paid $107.00? Wah!

[IndiGenus]

Hi Dennis,

I know you are frustrated with having to pay someone who only caused more problems and all but...

I think that "020 Winlogon Notify" is a large part of the problem.

No, No, NOOO! That is part of Windows Genuine Advantage and is a perfectly legitimate entry. DO NOT FIX IT!

And here the tracking cookie 207 is right back on there again.

As I said before...tracking cookies are totally harmless.

Also when I run the AVG AntiVirus,
there is a new file listed as changed that wasn't before the guy worked on it. It is called: "ntoskrnl.exe"
I have a legit copy (the kink Microsoft Employees get he said) that is activated but he used some sort
of his stuff. For this I paid $107.00? Wah! sad.gif

I'm not understanding you here. That file, ntoskrnl.exe, is a legitimate windows file. What are you talking about?

I would recommend you try running DR Web Cureit! again. Here are the instructions:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

[dpappa]

I did just as you said and it found zero viruses, and so I could find no button to click on the right of the files found, and the file had "greyed out" the "save as". I guess you need it to find something to be able to have a report. Or maybe it's just the 1:30 A.M. syndrom. I wonder if I shall have to try and find a way to repair the Internet Explorer 6. Dennis

[IndiGenus]

Hi Dennis,

Run through the instructions found at this link and let me know how you make out:

http://www.theelderg.../repair_ie6.htm

Dave

[dpappa]

I already had that page found and bookmarked. It is the one that caused me to wonder if maybe I should re-install IE 6. But I have been afraid to try it. What if I don't understand the prompts that it gives. Then I will be cut off with NO IE 6 or otherwise. It has been this very 'NEWBIES' experience that what 'Windows' says is not what it means a lot of the time. So that if I can't mind read the prompt, being as how "it's intuitive", it might just pull something that I can't recover from. No what I mean? Dennis PS: But I really do think that will fix the problem. Although I stopped an install of ICQ part way done. Maybe it left something open somehow. But heck, I could try and guess all year.

[IndiGenus]

Just follow the instructions one step at a time and if you're not sure of something then stop.

As an alternative you can download and try the free Firefox browser. No this is not a fix to the problem but might be a temporary work around. I personally use the Firefox browser almost exclusively now.

http://www.mozilla.com/en-US/

Dave

[dpappa]

I guess I'll try the IE 6 thing. I always thought highly of Firefox but the last time I used it a few months ago all kinds of things were getting in. Maybe I already had holes in my system or just didn't install enough of the Firefox. Maxthon? looks good if memory serves. If you don't here from me for a day or two the IE 6 backfired on me & I have to borrow the Computer at the local coffee shop. Dennis

[IndiGenus]

Before you do anything with IE download and install Firefox first. Make sure it's working and then you'll have something to work with.

I always thought highly of Firefox but the last time I used it a few months ago all kinds of things were getting in

Not sure what you mean here. The browser will not protect you all by itself. You need to have adequate protection in place otherwise. And we need to be mindful of where we go online. I like to refer to that as my "Common Sense Security Suite 2007" software (just joking of course but think about it).

[dpappa]

I already did them both before I saw your post. No effect. And of course the prompts were not clear. At all. They always seem to give directions assuming you already know what they mean. If that were the case, why would I or anyone else need prompts. "check windows automatically" turned into "continue installation". I backed away from that because I didn't know what the installation was. Maybe the whole system. I already remove Firefox, and in fact when all of this mess started, I was getting cookies through Firefox after I had removed it. So somehow some of it stayed around. My best effective guess is that I just need to get my hands on a BIG HAMMER. I just deleted two more paragraphs that were just too negative. I am stumped. Dennis

[IndiGenus]

I already did them both before I saw your post. No effect.

Both what? The IE fix and what else? And you said you "backed away" from the fix so how do we know if it would have worked or not?

I was getting cookies through Firefox after I had removed it.

Not sure how that could happen but as I have said before. Cookies are not malware.

At this point I'm not quite sure how I can help you here. The last HJT log you posted appeared to be clean. The scans are also not picking up anything malicious. We seem to be going around in circles also. Let's try this:

1. Post a fresh HJT log for review.
2. Describe the main problem you are having at this point.

Dave

[dpappa]

I meant that there are two IE 6 fixes on that page and I tryed them both. Here is my last HJT log. I've not seen the "double window" problem lately so maybe the problem is fixed.

Dennis
Logfile of HijackThis v1.99.1
Scan saved at 6:23:03 AM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHIS 1\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.world2search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by

AT&T Worldnet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download

Express\Add_Url.htm
O8 - Extra context menu item: Add Feed to Tristana Reader - res://C:\Program Files\Tristana

Reader\Reader.exe/AddContent.js
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A9FE6D6-0AB7-4E9E-9B07-27744207E055}: NameServer = 204.127.160.3

12.102.240.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A9FE6D6-0AB7-4E9E-9B07-27744207E055}: NameServer = 204.127.160.3

12.102.240.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[IndiGenus]

Hi Dennis,

Your HJT appears to be all clean and I'm glad things are running better now.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

Use ATF Cleaner to remove temp files, cookies, cache, ect...

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

In addition to updating and running your current protection I recommend the following:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.
http://forums.tomcoy...mp;#entry257163

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Dave