Trojan infection and keep getting popups directing to an Anti-Spyware software site! [Archive]

View Full Version : Trojan infection and keep getting popups directing to an Anti-Spyware software site!

General_Slaye

2007-09-04, 16:10

Hi

AVG keeps detecting various Trojan horses on my computer and a new web browser window randomly opens directing me to an Anti-Spyware software site which you got to pay to get.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02:02, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows SteadyState\SCTSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ullypxrr.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows SteadyState\Bubble.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\DriveCleaner\DC6cw.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Bubble] "%ProgramFiles%\Windows SteadyState\Bubble.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DC6cw] "C:\Program Files\Common Files\DriveCleaner\DC6cw.exe" -c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ullypxrr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 5037 bytes

Rawe

2007-09-04, 16:23

Hello and welcome aboard :)

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

------

Please download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

General_Slaye

2007-09-04, 17:04

Ok, done.

Here is the new log:

ComboFix 07-08-30.3 - "Lee" 2007-09-04 14:47:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT 1:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1\DriveCleaner
C:\WINDOWS\system32\ddcdbyw.dll
C:\WINDOWS\system32\ljjkjjk.dll
C:\WINDOWS\system32\ullypxrr.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))

2007-09-04 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 14:40 <DIR> d-------- C:\DOCUME~1\Lee\Shared
2007-09-04 14:40 <DIR> d-------- C:\DOCUME~1\Lee\Incomplete
2007-09-04 14:40 <DIR> d-------- C:\DOCUME~1\Lee\APPLIC~1\LimeWire
2007-09-04 13:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-04 13:51 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner
2007-09-04 13:50 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-09-04 13:50 6,144 --a------ C:\WINDOWS\system32\daila.exe
2007-09-04 13:50 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-04 13:44 <DIR> d-------- C:\Program Files\LimeWire
2007-09-04 13:31 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-04 13:31 <DIR> d-------- C:\Program Files\Netscape
2007-09-04 13:31 <DIR> d-------- C:\DOCUME~1\Lee\APPLIC~1\Netscape
2007-09-04 11:16 <DIR> d-------- C:\DOCUME~1\Lee\.housecall6.6
2007-09-04 11:05 980,133 --ahs---- C:\WINDOWS\system32\ggfhk.bak2
2007-09-03 21:21 6,448 --ahs---- C:\WINDOWS\system32\ggfhk.bak1
2007-09-03 21:21 244,832 --a------ C:\WINDOWS\system32\khfgg.dll
2007-09-03 14:13 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-02 21:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-09-02 21:30 476,752 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
2007-09-02 21:30 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-09-02 21:06 <DIR> d-------- C:\DOCUME~1\Lee\APPLIC~1\Corel
2007-09-02 21:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-09-02 20:58 88 -r-hs---- C:\WINDOWS\system32\756DBBB37E.sys
2007-09-02 20:57 <DIR> d-------- C:\Program Files\Corel
2007-09-02 20:56 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-02 12:05 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-02 00:12 56 -r-hs---- C:\WINDOWS\system32\7EB3BB6D75.sys
2007-09-02 00:12 4,704 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-02 00:11 <DIR> d-------- C:\Program Files\Enterbrain
2007-09-02 00:10 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2007-09-02 00:10 <DIR> d-------- C:\DOCUME~1\Lee\APPLIC~1\WinRAR
2007-09-01 18:23 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-09-01 18:23 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-09-01 18:23 <DIR> d-------- C:\Program Files\QuickTime
2007-09-01 18:21 <DIR> d-------- C:\Program Files\Bonjour
2007-09-01 18:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-30 23:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-30 20:03 <DIR> d-------- C:\Program Files\Windows SteadyState
2007-08-30 19:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-30 18:43 <DIR> d-------- C:\Program Files\MSBuild
2007-08-30 18:34 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-30 18:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-30 18:33 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-08-30 18:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-30 18:32 <DIR> d-------- C:\8b34075176c98cd7e0d60fb5
2007-08-30 18:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-30 18:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-30 18:21 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-08-30 18:19 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-08-30 18:19 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-08-30 18:19 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-08-30 16:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-08-30 16:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-30 16:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-30 16:38 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-08-30 16:30 <DIR> d-------- C:\Program Files\Windows Live
2007-08-30 16:30 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-08-30 16:30 <DIR> d-------- C:\DOCUME~1\Lee\Contacts
2007-08-30 16:29 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-30 16:29 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-30 16:25 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-30 16:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-30 16:08 <DIR> d--hs---- C:\DOCUME~1\Lee\UserData
2007-08-30 15:57 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-08-30 15:54 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-08-30 15:53 99,840 --a--c--- C:\WINDOWS\system32\dllcache\helphost.exe
2007-08-30 15:53 6,656 --a--c--- C:\WINDOWS\system32\dllcache\hcappres.dll
2007-08-30 15:53 47,104 --a--c--- C:\WINDOWS\system32\dllcache\srdiag.exe
2007-08-30 15:53 35,328 --a--c--- C:\WINDOWS\system32\dllcache\notiflag.exe
2007-08-30 15:53 28,160 --a--c--- C:\WINDOWS\system32\dllcache\msoobe.exe
2007-08-30 15:53 21,504 --a--c--- C:\WINDOWS\system32\dllcache\brpinfo.dll
2007-08-30 15:53 11,264 --a--c--- C:\WINDOWS\system32\dllcache\atrace.dll
2007-08-30 15:53 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-08-30 15:51 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-22 09:16 96,384 --a------ C:\WINDOWS\system32\drivers\Rtnicxp.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98A89770-7632-4D1B-AE4B-807CFB8AD233}]
2007-09-03 21:21 244832 --a------ C:\WINDOWS\system32\khfgg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-30 16:25]
"Bubble"="C:\Program Files\Windows SteadyState\Bubble.exe" [2007-06-05 15:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\khfgg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windows SteadyState]
@="Service"

R2 Windows SteadyState;Windows SteadyState Service;"C:\Program Files\Windows SteadyState\SCTSvc.exe"

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 14:57:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 15:00:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 15:00

--- E O F ---

Rawe

2007-09-04, 17:16

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\daila.exe
C:\WINDOWS\system32\ggfhk.bak2
C:\WINDOWS\system32\ggfhk.bak1
C:\WINDOWS\system32\khfgg.dll

Folder::
C:\Program Files\Common Files\DriveCleaner

Dirlook::
C:\DOCUME~1\Lee\Incomplete

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98A89770-7632-4D1B-AE4B-807CFB8AD233}]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Save it as CFScript.txt on your desktop.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

General_Slaye

2007-09-04, 20:21

Hi

I done exactly what you told me in the previous post but as my computer was restarting, it wouldn't go back to windows no more. Before the login screen would appear, an error message keep coming up saying that there is a missing object called lsass.exe, everytime I click ok, it would restart my computer and try coming back to windows only to keep encountering that message. I ended up doing a quick repair for my Windows XP installation but that error again interupted the whole installation. I had to do a fresh Windows XP installation in the end though...However everything is like back to normal but thanks for the help though.

Rawe

2007-09-05, 17:29

That was my mistake :sad:

I should have doublechecked my regfix.... However, good to hear you got it sorted.. Sorry for the way it went. My bad.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. It also has immunization and realtime protection included.
Prevention Programs:
Comodo BOClean (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definitely a must have. Two good free versions are Kerio Personal Firewall (http://www.kerio.com/us/kpf_download.html) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp). (Note to only use 1 at-the-time)
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).
And also see TonyKlein's good advice:
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html)