Good Ole' Torpig [Archive] - Safer-Networking Forums

HexuallyFrustrated

2008-03-02, 02:37

Heya, Good People.
My wife's computer is infected with Torpig.
I've tried a few things I've read on removing it that I'd found in these forums, but no success. It keeps coming back.
Anyway, contacting you from her computer, in Safe Mode with networking after having removed the standard two Torpig entries that Spybot found.

Here is the Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 26, 2008 5:28:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 582237
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 56874
Number of viruses found: 2
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:05:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\cert8.db Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\history.dat Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\key3.db Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\parent.lock Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\search.sqlite Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\ELIZABETH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-33453e50.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\ELIZABETH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-33453e50.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ELIZABETH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-39852f59.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\ELIZABETH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-39852f59.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ELIZABETH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2a5b79fe.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\ELIZABETH\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2a5b79fe.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ELIZABETH\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Application Data\Mozilla\Firefox\Profiles\7q2odeaw.pook\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\ELIZABETH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ELIZABETH\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ELIZABETH\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP464\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB822624$\hal.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:56 PM, on 2/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--
End of file - 6859 bytes

Any and all help is appreciated to eliminate this evil little thinger.

pskelley

2008-03-02, 16:31

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Sorry to be the bearer of bad news, and if we proceed beyond this point you must read and follow all directions which are posted above and pinned to the top of the forum, including this one:

All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
I must also say this trojan is not showing in the HJT log because you are not running in Normal Mode. I am basing this on what your report and the Kaspersky scan results.

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll ------> Trojan-PSW.Win32.Sinowal.gj skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll ------> Trojan-PSW.Win32.Sinowal.gj skipped

http://www.threatexpert.com/report.aspx?uid=527ec3ea-e912-4e3e-87a6-de2a17860dbd

Threat characteristics of Mebroot (aka Mbroot/StealthMBR), a backdoor trojan that overwrites the Master Boot Record (MBR) of the hard disk and uses rootkit techniques to hide itself.
Contains characteristics of an identified security risk.

A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
In light of this information, you need to know this:

You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

HexuallyFrustrated

2008-03-03, 03:40

Thanks for responding, pskelley.
I'm posting from another computer after having changed the forum password.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I have read that post and do understand any action taken by me is at my own risk.

Sorry to be the bearer of bad news, and if we proceed beyond this point you must read and follow all directions which are posted above and pinned to the top of the forum, including this one:

I'm sorry if I posted them in the incorrect format. I copied and pasted the logs direcly from notepad without the word wrap on. I used the 'code' tags because they'd seem easier to read and I had seen them used before. Should I have not used the tags?

I must also say this trojan is not showing in the HJT log because you are not running in Normal Mode.

Understood. I'm not sure how I would've changed the modes. Is there a way to change the mode back? I can rescan and post another log if I can change it to normal mode.

I am basing this on what your report and the Kaspersky scan results.

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll ------> Trojan-PSW.Win32.Sinowal.gj skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll ------> Trojan-PSW.Win32.Sinowal.gj skipped

http://www.threatexpert.com/report.aspx?uid=527ec3ea-e912-4e3e-87a6-de2a17860dbd

In light of this information, you need to know this:

You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

Thank you for looking into this. It doesn't look good, eh? I've told my wife to report possible identity theft to her creditors. We'll go ahead and put monitoring flags on all three credit agencies.

Some questions:

-If I'm understanding you, a rootkit has possibly buried itself in the drive system and, if that's the case, there is no other method for removal other than reformatting the drive and reinstalling the software from scratch. Is this correct?

-If this is the case, is there any possible way to retrieve photos off of the drive safely (without infecting the computer we transfer them to)?

-Will reformatting remove the root kit with 100% certainty?

-Does safe mode with networking prevent any data transfer between the keylogger/rootkit and the thief or is the computer just as vulnerable in that state as the normal XP mode?

Again, if you need me to post an updated normal-mode HJT log, let me know how to put it into normal mode and I'll do that.

It's looking like we may reformat, but I'm holding off until I hear from you about the HJT log.
Thanks again for the help.

pskelley

2008-03-03, 13:20

Thanks for the feedback, I will try to answer your questions, but first will say the "Before you Post" describes what is required, and I believe the links I posted do a fair job of answering most questions you should have.

1) I have no way of knowing, to my knowledge it would take an forensic expert to detect stuff that can be hidden. There are tools that can be run, but none of them will assure you that something can not be missed.
http://www.google.com/search?hl=en&q=how+are+rootkits+hidden&btnG=Google+Search

2) I don't believe you should have a problem with photos, not a format that normally gets infected. I use AVG by Grisoft and just ran a scan of all of my photos and it was clean. I will post information below that may answer the question better than I have.

3) To my knowledge, running in safe mode with network support does not prevent data from being transfered.

4) When you restart your computer it should start in Normal Mode, I do not need to see additional logs unless you decide to clean the infection, all logs should be copy/pasted to the topic as described in the "Before you Post" Instructions.

Here is information that may help with questions, and I apologize that I am a lowly malware remover and not a forensic expert.

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

A few other resources, many are available via a Google search:
http://kb.iu.edu/data/arrg.html
http://www.aurcity.com/compdocs/spyware.asp

Hope this information helps...

Thanks...Phil

HexuallyFrustrated

2008-03-04, 21:16

Hope this information helps...

Thanks...Phil

It did indeed. We'll transfer the pics and reformat. If anything comes up on the Kapersky logs or Spybot after that, I'll start a new thread.

I really appreciate the time and help, Phil. 'Lowly' malware remover or not, you really helped us.

pskelley

2008-03-04, 21:18

Thanks for the feedback, here is information that should help in the future.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.