Solved: very stubborn Trojan

[pauleolithic]

I've been trying to remove a trojan from my system for quite awile now. It appeasers to be opening websites at will and I am concerned that it is bringing even more spyware onto my machine and it is really slowing things down. Plus I don't have unlimited downloading capabilities (you can't where I live) and I suspect that it is going to blow my account wide open. It shows up on AVG after a scan and then says it has been cleaned but after I rebott it shows up. It also shows 4 changes in the system32 folder: kernel32.dll, user32.dll, shell32.dll, and ntoskrnl.dll. I've scanned in Safe mode after scanning in normal and it finds it and removes it but then i reboot and there it is again.

If anyone has any ideas of what it could be I would really appreciate the help. I'll post a HiJackThis log file.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:25:39 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net32] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176355439218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://access.alexcoresource.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AEA5610-AE18-4850-AEC5-A53AA922007C}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D100B5B7-1757-4244-96EE-F43B7AC9061E}: NameServer = 85.255.115.60,85.255.112.136
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support helpsvcMSIServer (helpsvcMSIServer) - Unknown owner - C:\WINDOWS\system32\adsnth.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Automatic Updates wuauservWebClient (wuauservWebClient) - Unknown owner - C:\WINDOWS\system32\appmgmtsv.exe (file missing)

--
End of file - 6615 bytes

 

[JSntgRvr]

Hi, pauleolithic

Welcome to TSG.

Please print these instructions for reference, as you will have to restart your computer during the fix.

Please download FixWareout from Here or Here.

Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.

1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
2. The fix will begin; follow the prompts.
3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
5. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AEA5610-AE18-4850-AEC5-A53AA922007C}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D100B5B7-1757-4244-96EE-F43B7AC9061E}: NameServer = 85.255.115.60,85.255.112.136
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222

Click FIX CHECKED. Close HijackThis.

1. Enter your Control Panel and double-click on Network Connections
2. Then right click on your Default Connection
   • Usually Local Area Connection for Cable and DSL, or AOL Connection.
3. Left click on Properties
4. Double-Click on the Internet Protocol (TCP/IP) item
5. Select the radio dial that says Obtain DNS Servers Automatically
6. Press OK twice to get out of the properties screen
7. Restart the computer

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
Exit

Restart the computer.

Download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

 

[pauleolithic]

Thanks, I really appreciate your help.

Here is the Combofix log:

ComboFix 07-06-18.2 - C:\Documents and Settings\Polywog\Desktop\ComboFix.exe
"Polywog" - 2007-06-29 18:55:01 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-29 18:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 18:39 7,228 --a------ C:\dnsbak.reg
2007-06-29 18:11 <DIR> d-------- C:\Program Files\STOPzilla!
2007-06-29 18:11 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-06-29 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-06-29 18:10 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-06-29 18:09 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\WholeSecurity
2007-06-29 15:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-23 14:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-23 14:08 <DIR> d-------- C:\Program Files\DBan
2007-06-22 17:31 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\DivX
2007-06-18 19:18 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-16 14:09 <DIR> d-------- C:\Program Files\QuickTime
2007-06-16 11:31 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-16 11:31 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-16 11:30 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-16 11:26 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-06-14 22:25 285 --a------ C:\kjaskd4a.exe
2007-06-12 21:03 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-11 18:54 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Lavasoft
2007-06-10 20:38 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\Leadertech
2007-06-09 22:42 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Corel
2007-06-04 21:21 <DIR> d-------- C:\WINDOWS\pss
2007-05-31 22:16 361 --ahs---- C:\WINDOWS\system32\4109987059.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 00:32:49 -------- d-----w C:\Program Files\Picasa2
2007-06-16 20:45:49 -------- d-----w C:\Program Files\Messenger
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-29 18:46:24 -------- d-----w C:\Program Files\DivX
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-12 04:27:40 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-04-12 04:27:40 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-04-11 22:49:30 0 --sha-r C:\MSDOS.SYS
2007-04-11 22:49:30 0 --sha-r C:\IO.SYS
2007-04-11 22:49:30 0 ----a-w C:\CONFIG.SYS
2007-04-11 22:49:30 0 ----a-w C:\AUTOEXEC.BAT
2007-04-11 22:46:27 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2002-11-13 16:34 C:\WINDOWS\system32\sstray.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 14:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-21 20:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-06-14 02:48:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 18:56:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 18:56:38

--- E O F ---

Here is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:58:24 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176355439218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://access.alexcoresource.com/Remote/msrdp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support helpsvcMSIServer (helpsvcMSIServer) - Unknown owner - C:\WINDOWS\system32\adsnth.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Automatic Updates wuauservWebClient (wuauservWebClient) - Unknown owner - C:\WINDOWS\system32\appmgmtsv.exe (file missing)

--
End of file - 5678 bytes


And here is the FixWareout report:

Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EC63E9402EA4-49EB-9264-30EC-61AAA61D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9170E92E237F-89CA-BFF4-CB6E-E1620B2D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}013A885D2C40-7E08-2724-BF37-24E7515C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}736A9C337B6C-B258-F934-9293-F829F489{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8583B6D1D9B5-9299-F544-7E05-31AE7194{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}95B9375D7312-0659-F2C4-18B3-4945B807{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1C3401F91D91-1AB9-BDD4-E672-8F54DB55{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4CAAB1B79C0B-3709-F9D4-D53E-B08EA94A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}72B7C06A6AFE-33DA-C424-5307-589503B5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A876A28A3263-BD6A-02E4-02E7-F39F0306{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FD93C7BC1C50-542B-8154-A96C-884E41B6{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}AFDB726ED345-A849-DD74-8BB6-1DF83D6F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C5518181F1C5-7648-82B4-C469-62FABF2D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BC544C531C01-CC48-E3C4-84B3-73AF3A95{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}CFF3EB12DD08-3E1A-9CB4-9BA4-4AE4A530{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2A9370E33861-004B-E194-01B8-0D9E3097{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}81E5E2267676-64B8-7A94-1B5C-6E61EBC3{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9C981E0F21DF-084B-7A54-87AD-A3FCC169{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A524B1217F16-3BBB-C584-9098-C612C397{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B88590051EC6-680A-7734-DAA7-AAC32012{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3A82A54463CF-3059-E454-6D9C-895C33B5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7869193B9396-64C8-16B4-CC84-5C833E4B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DBED7740EBC2-F69B-64D4-0F5D-4126774F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}ABE48BAC38DB-883A-4B64-135E-38C314EF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E8CDE66E7DBC-9CC9-13F4-06A9-5C401DEF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}015EDEB4F6E0-2C79-7874-0708-7D8F00EA{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}41DF3F4ADDB9-D13B-6A44-4F3C-5D3F750C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A3690A194389-D8CB-A6D4-0AED-5A9E0169{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FBDFE9615917-AFFA-E814-45CF-89C9F680{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}95F2638190ED-0D09-18E4-7B10-2A0139C2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D6765BF5343A-48A8-D714-32CA-9D51FC14{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}183F3D473BB3-18D8-97A4-1EA5-F1D3CD54{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6CEEF1FD9ACE-862A-5E84-D33E-7C04E3E2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C93B028DF609-670B-1284-C270-DE642856{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}087CE5C6E165-AF9B-98D4-5EC4-D89089AE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E99BA95899C0-834A-8F34-863B-90C737E5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}655CC982D827-E01B-9EF4-4E20-3EF291AF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F2D0EE057D87-89AA-FC54-9F45-82A2E55F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}46068CE6F14D-773B-F9F4-5875-AA501E63{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9E3AEE2D0D4D-802A-63B4-AAC4-64B7D1FD{" Deleted
C:\WINDOWS\System32\bpygo.exe Deleted
C:\WINDOWS\System32\fjkpr.exe Deleted
C:\WINDOWS\System32\ltprr.exe Deleted
C:\WINDOWS\System32\mjpwn.exe Deleted
....
»»»»» Misc files.

One of the items you suggested I should check on the first HiJackThis scan wasn't there:

O17 - HKLM\System\CCS\Services\Tcpip\..\{D100B5B7-1757-4244-96EE-F43B7AC9061E}: NameServer = 85.255.115.60,85.255.112.136

but there was no other O17 item in its place.

thanks again

 

[JSntgRvr]

Hi, pauleolithic

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Go to Start->Run, type CMD and click Ok. The MSDOS window will be displayed. At the prompt type the following and press Enter after each line:

SC Stop wuauservWebClient
SC Delete wuauservWebClient
Exit

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as ComboFix-Do.txt
• Change the Save as Type to All Files
• and Save it on the desktop

File::
C:\kjaskd4a.exe
C:\WINDOWS\system32\4109987059.dat

Folder::


ADS::


Driver::


Registry::

Once saved, refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe, and post back the resulting report. How is the computer doing?

 

[pauleolithic]

The computer is running a lot better: no unexplained pop-ups or , no unexplained sounds of webpages being opened, and no obvious slowing down of the processes. Here is the ComboFix report

ComboFix 07-06-18.2 - C:\Documents and Settings\Polywog\Desktop\ComboFix.exe
"Polywog" - 2007-06-30 15:43:10 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Polywog\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\kjaskd4a.exe
C:\WINDOWS\system32\4109987059.dat


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-29 18:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 18:39 7,228 --a------ C:\dnsbak.reg
2007-06-29 18:11 <DIR> d-------- C:\Program Files\STOPzilla!
2007-06-29 18:11 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-06-29 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-06-29 18:10 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-06-29 18:09 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\WholeSecurity
2007-06-29 15:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-23 14:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-23 14:08 <DIR> d-------- C:\Program Files\DBan
2007-06-22 17:31 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\DivX
2007-06-18 19:18 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-16 14:09 <DIR> d-------- C:\Program Files\QuickTime
2007-06-16 11:31 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-16 11:31 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-16 11:30 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-16 11:26 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-06-12 21:03 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-11 18:54 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Lavasoft
2007-06-10 20:38 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\Leadertech
2007-06-09 22:42 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Corel
2007-06-04 21:21 <DIR> d-------- C:\WINDOWS\pss
2007-05-14 19:59 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\AdobeUM
2007-05-14 19:59 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\AdobeAUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 00:32:49 -------- d-----w C:\Program Files\Picasa2
2007-06-16 20:45:49 -------- d-----w C:\Program Files\Messenger
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-29 18:46:24 -------- d-----w C:\Program Files\DivX
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-12 04:27:40 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-04-12 04:27:40 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-04-11 22:49:30 0 --sha-r C:\MSDOS.SYS
2007-04-11 22:49:30 0 --sha-r C:\IO.SYS
2007-04-11 22:49:30 0 ----a-w C:\CONFIG.SYS
2007-04-11 22:49:30 0 ----a-w C:\AUTOEXEC.BAT
2007-04-11 22:46:27 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2002-11-13 16:34 C:\WINDOWS\system32\sstray.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 14:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-21 20:22]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

*Newly Created Service* - DMADMIN

Contents of the 'Scheduled Tasks' folder
2007-06-14 02:48:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 15:44:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-30 15:44:31
C:\ComboFix-quarantined-files.txt ... 2007-06-30 15:44
C:\ComboFix2.txt ... 2007-06-29 18:56

--- E O F ---


thanks again

 

[JSntgRvr]

Hi, pauleolithic.

Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Create a Restore point:

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
2. In the System Restore dialog box, click Create a restore point, and then click Next.
3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
   
5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
   
6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
   
8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Click Here for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "Solved".

Best wishes!