PDA

View Full Version : WinAntiVirusPro2006 and/or SystemDoctor Hijack



John777
2007-03-08, 01:08
PART I

Yesterday I started getting pop-ups advising me to buy WinAntiVirusPro2006, along with strange behavior from IE, such as mis-directing me to different sites (often Netster.com) when I tried to click on a Google link. Today, the pop-up window suggested purchasing SystemDoctor.

I'm pretty sure this the result of mistakenly clicking on a pop-up two days ago.

I have run Panda Online Scan, and deleted or "disinfected" what it permitted me to.

Also, downloaded & scanned Spybot-S&D, fixing everything in safe mode.

Finally, I did a HiJack This scan.

Here are the logs requested in the "BEFORE you POST" stickie.

Thanks in advance for your help.

PANDA ONLINE SCAN:

Incident Status Location

Spyware:Cookie/RealMedia Disinfected C:\Documents and Settings\John\Cookies\john@247realmedia[1].txt
Spyware:Cookie/YieldManager Disinfected C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Disinfected C:\Documents and Settings\John\Cookies\john@advertising[1].txt
Spyware:Cookie/Apmebf Disinfected C:\Documents and Settings\John\Cookies\john@apmebf[1].txt
Spyware:Cookie/Atlas DMT Disinfected C:\Documents and Settings\John\Cookies\john@atdmt[1].txt
Spyware:Cookie/Casalemedia Disinfected C:\Documents and Settings\John\Cookies\john@casalemedia[1].txt
Spyware:Cookie/Doubleclick Disinfected C:\Documents and Settings\John\Cookies\john@doubleclick[2].txt
Spyware:Cookie/Hitbox Disinfected C:\Documents and Settings\John\Cookies\john@hitbox[2].txt
Spyware:Cookie/QuestionMarket Disinfected C:\Documents and Settings\John\Cookies\john@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Disinfected C:\Documents and Settings\John\Cookies\john@tribalfusion[2].txt
Spyware:Cookie/2o7 Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@112.2o7[2].txt
Spyware:Cookie/RealMedia Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@247realmedia[1].txt
Spyware:Cookie/2o7 Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@2o7[1].txt
Spyware:Cookie/YieldManager Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@adrevolver[2].txt
Spyware:Cookie/Adrevolver Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@adrevolver[3].txt
Spyware:Cookie/AdDynamix Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@ads.pointroll[2].txt
Spyware:Cookie/Adtech Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@adtech[1].txt
Spyware:Cookie/Advertising Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@advertising[2].txt
Spyware:Cookie/NewMedia Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@anm.co[2].txt
Spyware:Cookie/Apmebf Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@apmebf[1].txt
Spyware:Cookie/Falkag Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@atdmt[2].txt
Spyware:Cookie/Atwola Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@atwola[1].txt
Spyware:Cookie/Belnk Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@belnk[1].txt
Spyware:Cookie/Bfast Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@bfast[2].txt
Spyware:Cookie/Bluestreak Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@bluestreak[1].txt
Spyware:Cookie/bravenetA Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@bravenet[1].txt
Spyware:Cookie/Serving-sys Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@burstnet[2].txt
Spyware:Cookie/Casalemedia Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@casalemedia[2].txt
Spyware:Cookie/Cgi-bin Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@cgi-bin[2].txt
Spyware:Cookie/Bridgetrack Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@com[1].txt
Spyware:Cookie/Hitslink Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@counter.hitslink[2].txt
Spyware:Cookie/Dbbsrv Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@dbbsrv[1].txt
Spyware:Cookie/Belnk Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@doubleclick[1].txt
Spyware:Cookie/Hitbox Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@ehg-dig.hitbox[2].txt
Spyware:Cookie/Entrepreneur Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@entrepreneur[2].txt
Spyware:Cookie/FastClick Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@fastclick[2].txt
Spyware:Cookie/Go Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@go[2].txt
Spyware:Cookie/Hitbox Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@hitbox[1].txt
Spyware:Cookie/Maxserving Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@maxserving[1].txt
Spyware:Cookie/FastClick Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@mediaplex[2].txt
Spyware:Cookie/Overture Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@questionmarket[1].txt
Spyware:Cookie/RealMedia Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@realmedia[2].txt
(CONTINUED)

John777
2007-03-08, 01:14
PANDA ONLINE SCAN (cont.):

Spyware:Cookie/WUpd Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@revenue[2].txt
Spyware:Cookie/Searchportal Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@searchportal.information[1].txt
Spyware:Cookie/Advertising Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@servedby.advertising[2].txt
Spyware:Cookie/Server.iad.Liveperson Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@serving-sys[1].txt
Spyware:Cookie/Statcounter Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@statse.webtrendslive[2].txt
Spyware:Cookie/Traffic Marketplace Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@www.myaffiliateprogram[2].txt
Spyware:Cookie/Xiti Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@xiti[1].txt
Spyware:Cookie/Adserver Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@z1.adserver[1].txt
Spyware:Cookie/Zedo Disinfected C:\Documents and Settings\John\Cookies\Cookies\john@zedo[2].txt
Potentially unwanted tool:Application/Processor No disinfected C:\Documents and Settings\John\Desktop\MISC Stuff\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor No disinfected C:\Documents and Settings\John\My Documents\Programs I've Downloaded\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor No disinfected C:\WINDOWS\system32\Process.exe



HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:49 PM, on 3/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] "C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe"
O4 - HKCU\..\Run: [SpamBully 3 for Outlook Express] "C:\Program Files\Axaware\Spam Bully 3 for OE\sb3oe.exe" install
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\System32\__c002B146.dat
O20 - Winlogon Notify: __c00356DC - C:\WINDOWS\System32\__c00356DC.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

*********

THANK YOU!

Mr_JAk3
2007-03-08, 22:02
Hi John777 and welcome to the Forums :)

So you're getting popups...

Do you know anything about these lines?

O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\System32\__c002B146.dat
O20 - Winlogon Notify: __c00356DC - C:\WINDOWS\System32\__c00356DC.dat


Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\System32\__c002B146.dat
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\System32\__c00356DC.dat
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.


:bigthumb:

John777
2007-03-09, 01:30
>Do you know anything about these lines?

No, I don't; I have very little understanding of this stuff.

VIRUSTOTAL RESULTS:

STATUS: FINISHED
Complete scanning result of "__c002B146.dat", received in VirusTotal at 03.08.2007, 23:45:59 (CET).

Antivirus Version Update Result

AntiVir 7.3.1.41 03.08.2007 no virus found
Authentium 4.93.8 03.08.2007 no virus found
Avast 4.7.936.0 03.08.2007 no virus found
AVG 7.5.0.447 03.08.2007 no virus found
BitDefender 7.2 03.08.2007 no virus found
CAT-QuickHeal 9.00 03.08.2007 no virus found
ClamAV devel-20060426 03.08.2007 no virus found
DrWeb 4.33 03.08.2007 no virus found
eSafe 7.0.14.0 03.08.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3464 03.08.2007 no virus found
Ewido 4.0 03.07.2007 no virus found
FileAdvisor 1 03.08.2007 no virus found
Fortinet 2.85.0.0 03.08.2007 suspicious
F-Prot 4.3.1.45 03.08.2007 no virus found
F-Secure 6.70.13030.0 03.08.2007 no virus found
Ikarus T3.1.1.3 03.08.2007 Trojan-Dropper.Win32.Agent.ane
Kaspersky 4.0.2.24 03.08.2007 no virus found
McAfee 4980 03.08.2007 no virus found
Microsoft 1.2204 03.08.2007 no virus found
NOD32v2 2104 03.08.2007 no virus found
Norman 5.80.02 03.07.2007 W32/Suspicious_U.gen
Panda 9.0.0.4 03.08.2007 Suspicious file
Prevx1 V2 03.08.2007 no virus found
Sophos 4.15.0 03.07.2007 no virus found
Sunbelt 2.2.907.0 03.07.2007 VIPRE.Suspicious
Symantec 10 03.08.2007 no virus found
TheHacker 6.1.6.072 03.07.2007 no virus found
UNA 1.83 03.07.2007 no virus found
VBA32 3.11.2 03.08.2007 no virus found
VirusBuster 4.3.19:9 03.08.2007 Packed/Upack

Aditional Information

File size: 9546 bytes
MD5: 23e0d413c9748e2c036215e25a6eb07b
SHA1: 39bcb452d124a8e96ba6b0924d119772b162f84b
packers: UPACK
packers: UPack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.



STATUS: FINISHED
Complete scanning result of "__c00356DC.dat", received in VirusTotal at 03.08.2007, 23:52:51 (CET).

Antivirus Version Update Result

AntiVir 7.3.1.41 03.08.2007 no virus found
Authentium 4.93.8 03.08.2007 no virus found
Avast 4.7.936.0 03.08.2007 no virus found
AVG 7.5.0.447 03.08.2007 no virus found
BitDefender 7.2 03.08.2007 no virus found
CAT-QuickHeal 9.00 03.08.2007 no virus found
ClamAV devel-20060426 03.08.2007 no virus found
DrWeb 4.33 03.08.2007 no virus found
eSafe 7.0.14.0 03.08.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3464 03.08.2007 no virus found
Ewido 4.0 03.07.2007 no virus found
FileAdvisor 1 03.08.2007 no virus found
Fortinet 2.85.0.0 03.08.2007 suspicious
F-Prot 4.3.1.45 03.08.2007 no virus found
F-Secure 6.70.13030.0 03.08.2007 no virus found
Ikarus T3.1.1.3 03.08.2007 Trojan-Dropper.Win32.Agent.ane
Kaspersky 4.0.2.24 03.08.2007 no virus found
McAfee 4980 03.08.2007 no virus found
Microsoft 1.2204 03.08.2007 no virus found
NOD32v2 2104 03.08.2007 no virus found
Norman 5.80.02 03.07.2007 W32/Suspicious_U.gen
Panda 9.0.0.4 03.08.2007 Suspicious file
Prevx1 V2 03.08.2007 no virus found
Sophos 4.15.0 03.07.2007 no virus found
Sunbelt 2.2.907.0 03.07.2007 VIPRE.Suspicious
Symantec 10 03.08.2007 no virus found
TheHacker 6.1.6.072 03.07.2007 no virus found
UNA 1.83 03.07.2007 no virus found
VBA32 3.11.2 03.08.2007 no virus found
VirusBuster 4.3.19:9 03.08.2007 Packed/Upack

Aditional Information

File size: 9546 bytes
MD5: 23e0d413c9748e2c036215e25a6eb07b
SHA1: 39bcb452d124a8e96ba6b0924d119772b162f84b
packers: UPACK
packers: UPack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.



GMER.exe Scan Results:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-08 18:22:12
Windows 5.1.2600


---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F5B458 5 Bytes JMP 7203407A
.text ntdll.dll!NtCreateProcess 77F5B5B8 5 Bytes JMP 72034205
.text ntdll.dll!NtCreateProcessEx 77F5B5C8 5 Bytes JMP 720340E9
.text ntdll.dll!NtCreateSection 77F5B5E8 5 Bytes JMP 72034098

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Trend Micro\Internet Security\PCCPFW.exe[1064] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\WINDOWS\explorer.exe[1336] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\explorer.exe[1336] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\explorer.exe[1336] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[1404] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[1404] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[1404] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[1404] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[1432] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[1432] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[1432] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[1440] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[1440] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[1440] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Trend Micro\Internet Security\pccguide.exe[1456] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Trend Micro\Internet Security\pccguide.exe[1456] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Trend Micro\Internet Security\pccguide.exe[1456] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe[1464] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe[1464] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Iomega\Iomega Automatic Backup\iBackup.exe[1464] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1472] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1472] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1472] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1508] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1508] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1508] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1516] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1516] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1516] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\Iomega\System32\AppServices.exe[1680] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1712] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\PurgeIE\PurgeIE_Service.exe[1756] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[1928] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[1928] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[1928] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[1928] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe[1944] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Trend Micro\Internet Security\tmproxy.exe[2004] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 18, 5F ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 14, 5F ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] kernel32.dll!CreateThread + 18 77E9A3F8 4 Bytes [ F0, 25, 94, 88 ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] USER32.dll!DefWindowProcA 77D445AB 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] USER32.dll!DefWindowProcW 77D4C4E3 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] shell32.dll!Shell_NotifyIconW 77475593 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Outlook Express\msimn.exe[2792] shell32.dll!Shell_NotifyIcon 774756DA 6 Bytes [ FF, 25, 1E, 00, 0E, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3756] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3756] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3756] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3756] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Documents and Settings\John\Desktop\gmer.exe[4032] kernel32.dll!FreeLibrary + 37 77E8C7D5 4 Bytes [ 63, 38, 17, E7 ]
.text C:\Documents and Settings\John\Desktop\gmer.exe[4032] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Documents and Settings\John\Desktop\gmer.exe[4032] kernel32.dll!CreateProcessW 77E95430 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Documents and Settings\John\Desktop\gmer.exe[4032] kernel32.dll!CreateProcessA 77E959ED 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]

---- EOF - GMER 1.0.12 ----

*******

Thank you for your help, Mr_JAk3 !

Mr_JAk3
2007-03-09, 09:38
Hi again :)

Ok the two lines are bad but quite poorly detected...We'll send them to further inspection.

Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:


C:\WINDOWS\System32\__c002B146.dat
C:\WINDOWS\System32\__c00356DC.dat

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please go to this forum (http://www.thespykiller.co.uk/forum/index.php?board=1.0)
There's no need to register. Just start a new topic, titled "Files for Mr_JAk3".
Copy the link of this topic to the message.

Use the Attachment box to upload the cab file from your desktop.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

Thank you :bigthumb:

===========

Now we'll get you cleaned.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\System32\__c002B146.dat
O20 - Winlogon Notify: __c00356DC - C:\WINDOWS\System32\__c00356DC.dat

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\System32\__c002B146.dat
C:\WINDOWS\System32\__c00356DC.dat

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

John777
2007-03-09, 16:30
I have a problem, Mr_JAk3.

I followed the steps you laid out for clean-up, up to the point of doing the Hijack This scan and fix.

I checked the two items you indicated (which indeed were still present), and clicked the "Fix Checked" button.

When I re-scanned, only one of the two was deleted, leaving

O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\System32\__c002B146.dat

I tried checking that and fixing it a couple of times, but to no avail. Each time I re-scanned, it was still on the list.

So I stopped the clean-up at that point, and await your further instructions before proceeding.

Thanks.


P.S. I note that as I previewed this post, I got an "Error Detected" pop-up, trying to sell me "ErrorSafe".

Mr_JAk3
2007-03-09, 23:25
Hi again and thanks for the upload, the files were there :bigthumb:

Ok those popups are caused by the infection.

We may user stronger methods for those files.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\__c002B146.dat
C:\WINDOWS\System32\__c00356DC.dat

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Then you may continue with the instructions (scanning the pc with AVG AntiSpyware in safe mode) :bigthumb:

John777
2007-03-10, 03:27
> Please run Killbox.

Done. :bigthumb:


> Then you may continue with the instructions...

I've gone through all the steps, in particular, deleting the file
C:\WINDOWS\System32\__c002B146.dat
while in safe mode.

Here are the logs.

AVG Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:04:16 PM 3/9/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{33C6EB67-3159-4562-B023-446370EC20C9}\RP232\A0049549.dll -> Trojan.Sinowal.co : Cleaned with backup (quarantined).


::Report end


*******

Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:10:06 PM, on 3/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] "C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpamBully 3 for Outlook Express] "C:\Program Files\Axaware\Spam Bully 3 for OE\sb3oe.exe" install
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

*******

I note there seems to be a vestige of: __c002B146 - C:\WINDOWS\

:sad:

Looking forward to your further guidance, and thank you again for your help with this.

Mr_JAk3
2007-03-10, 11:14
Hi :)

Are you still getting those popups?

Fix this line with HijackThis:
O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\

Restart the computer and post a fresh HijackThis log :bigthumb:

John777
2007-03-10, 18:17
> Are you still getting those popups?

No popups.

I was able to delete
O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\
using HJT, but as you can see below, it came back once I rebooted.

:scratch:

Here is the log (after deleting file & reboot):

Logfile of HijackThis v1.99.1
Scan saved at 11:09:41 AM, on 3/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] "C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpamBully 3 for Outlook Express] "C:\Program Files\Axaware\Spam Bully 3 for OE\sb3oe.exe" install
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

Mr_JAk3
2007-03-10, 20:03
Hi :)

Ok Teatimer might be blocking the removal...I forgot it :red:

Disable AVG Anti-Spyware guard.
Open AVG Anti-Spyware
Click Shield
Click under "resident shield is"
Change it to inactive
Close the program
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Now fix this with HijackThis and restart the computer:
O20 - Winlogon Notify: __c002B146 - C:\WINDOWS\

Scan again with HijackThis and let me know if it worked :bigthumb:

John777
2007-03-10, 21:14
> Ok Teatimer might be blocking the removal...

Yes, disabling that seemed to do the trick. Thank you, Mr_JAk3.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:55:53 PM, on 3/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] "C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpamBully 3 for Outlook Express] "C:\Program Files\Axaware\Spam Bully 3 for OE\sb3oe.exe" install
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

***********

Hopefully, that's the end of that particular virus. Does anything else need to be addressed on the clean-up front?

And a follow-up question. A couple of years ago, I got a virus that disabled my system, and I ended up having to re-load Windows. I decided not to install Service Pack 2 at that time, because I felt like it had slowed my system. But I gather from the "UPDATED WINDOWS" sticky in this forum, that that was probably unwise, and something to rectify now that my operating system is clean?

Again, many thanks for your help with this. :)

Mr_JAk3
2007-03-10, 21:40
Hi again :)

The log looks clean now :)

Yes you should definately update your system (I was going to adress the installations of SP1a at the beginning but don't know how I forgot it. So get both of the servicepacks + other updates). Go to Windows Update (http://windowsupdate.microsoft.com) and install all important updates. You propably need to restart the computer and get back to the Windows Update before all of the updates are installed.

You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe :bigthumb: