Hello, I am posting to request your valuable time and assistance in fixing a virus on my PC.

BACKGROUND:

I am not completely sure where the virus came from. The infected PC is only used for checking personal and work email, and playing video games (legitimately purchased). I think I may accidently clicked on a banner on a Call of Duty website that launched the virus.

SYMPTOMS:

The first sign of infection was extremely slow PC performance while I was playing Call of Duty Black Ops. I exited the game and found Symantec Antivirus had reported it auto stopped installation of virus Hacktool.Proxy with note of "cleaned by deletion." It should be noted that Spybot tea timer is always on.

MY RESPONSE:

I ran Malware Bytes (during which time 10 additional hacktool.proxy installations were reported to have been stopped by Symantec). The first log from Malware Bytes:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6822

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/10/2011 1:56:15 AM
mbam-log-2011-06-10 (01-56-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 256064
Time elapsed: 2 hour(s), 23 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Nate\local settings\temp\11.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\12.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\yvws\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I restarted the computer, ran the scan again, and got a clean log. I then shut the computer off for several days do to busy work schedule.

Today I turned the computer on and again noticed slow performance, in addition to Internet Explorer going to random websites upon browser close, or when excecuting various google searches. I ran Malware Bytes again, and the scan kept locking up at about 25%. I rebooted in safe mode, deleted everything in C:\Windows\Temp, and ran a Malware Bytes scan inside safe mode with no viruses found. I returned to normal windows, ran scan again, and got this this log:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6895

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/19/2011 2:38:01 PM
mbam-log-2011-06-19 (14-38-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 270386
Time elapsed: 1 hour(s), 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\itlpfw32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlnfw32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\itlnfw32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\itlpfw32.dll (Trojan.Agent) -> Delete on reboot.

(various Spy Bot searches and Symantec searches during this time were clean)

I then ran the Trend Micro House Call scan and it found two possible viruses. A screen shot of that report is attached.

Recent scans since that time have been clean, but there have still been some odd occurances in internet explorer (search google, click a link, and some odd search engine pops up - but this is completely random). As a precaution I have changed all passwords from a different PC. I am now out of ideas and have come here for your help.

DDS REPORT:

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Nate at 19:58:04 on 2011-06-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2551.1726 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Real Temp\RealTemp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\nate\startm~1\programs\startup\shortc~1.lnk - c:\real temp\RealTemp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://remote.co.goodhue.mn.us/+CSCOL+/csvrloader32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264442381203
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A9522C6D-DDCD-458F-87D2-B057B7F2AABD} : DhcpNameServer = 192.168.1.1
Notify: itlntfy - itlnfw32.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
R2 COMMSB96;COMMSB96;c:\windows\system32\drivers\COMMSB96.sys [2010-8-12 24776]
R2 COMMSBEP;COMMSBEP;c:\windows\system32\drivers\COMMSBEP.sys [2010-8-12 44236]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-22 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110619.002\naveng.sys [2011-6-19 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110619.002\navex15.sys [2011-6-19 1542392]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\real temp\WinRing0.sys [2009-10-1 14416]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-30 1684736]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-30 12672]
S3 RTCore32;RTCore32;c:\program files\msi afterburner\RTCore32.sys [2009-10-18 12088]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]
.
=============== Created Last 30 ================
.
2011-05-27 05:56:31 37863 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\RCS_B-25J_RAF_MkII_for_FSX_Uninstal.exe
2011-05-27 05:12:01 -------- d-----w- c:\program files\Microsoft Games
.
==================== Find3M ====================
.
2011-06-09 19:25:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 09:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 07:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD6400AAKS-00A7B2 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0776F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a07da10]; MOV EAX, [0x8a07da8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A13FAB8]
3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000084[0x8A141948]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A0C9940]
\Driver\atapi[0x8A139728] -> IRP_MJ_CREATE -> 0x8A0776F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A07753B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:58:55.60 ===============

The other log is attached, and I have backed up registry with ERUNT. Thank you greatly for your help and experience!

Hello nate129 and welcome to the Safer Networking.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:


• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I am looking at your log now and will reply with instructions shortly

Satchfan

Hello again nate129

Your log shows that you have a nasty rootkit on your computer.

Run aswMBR

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

double click the aswMBR.exe to run it
click the "Scan" button to start the scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

Thanks

Satchfan

Hello Satchfan, thank you for helping me. I have never heard of a rootkit before, and just read about it on wikipedia. It sounds like some are so bad that re-format is the only option. I hope we can fix this without re-format, but if needed I am prepared to do so.

Here is the log you requested:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-20 21:19:14
-----------------------------
21:19:14.343 OS Version: Windows 5.1.2600 Service Pack 3
21:19:14.343 Number of processors: 8 586 0x1A05
21:19:14.343 ComputerName: ANTEC UserName: Nate
21:19:16.265 Initialize success
21:21:29.031 AVAST engine defs: 11062002
21:21:38.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
21:21:38.781 Disk 0 Vendor: WDC_WD6400AAKS-00A7B2 01.03B01 Size: 610480MB BusType: 3
21:21:38.781 Device \Driver\atapi -> DriverStartIo 8a08d53b
21:21:40.781 Disk 0 MBR read successfully
21:21:40.781 Disk 0 MBR scan
21:21:40.781 Disk 0 TDL4@MBR code has been found
21:21:40.781 Disk 0 Windows XP default MBR code found via API
21:21:40.781 Disk 0 MBR hidden
21:21:40.781 Disk 0 MBR [TDL4] **ROOTKIT**
21:21:40.781 Disk 0 trace - called modules:
21:21:40.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a08d6f0]<<
21:21:40.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a102ab8]
21:21:40.781 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000082[0x8a1279e8]
21:21:40.781 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> [0x8a104d98]
21:21:40.781 \Driver\atapi[0x8a087c98] -> IRP_MJ_CREATE -> 0x8a08d6f0
21:21:42.359 AVAST engine scan C:\WINDOWS
21:31:02.906 AVAST engine scan C:\Documents and Settings\Nate
21:34:07.343 AVAST engine scan C:\Documents and Settings\All Users
21:34:24.250 Scan finished successfully
21:34:51.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Nate\Desktop\MBR.dat"
21:34:51.062 The log file has been saved successfully to "C:\Documents and Settings\Nate\Desktop\aswMBR_6.20.11.txt"

Hi Nate

Hopefully a format won't be necessary.:)

re-Run aswMBR
click Scan
on completion of the scan click the Fix button
http://i944.photobucket.com/albums/ad283/Ninamf/Fix-TDL4.jpg

Save the log as before and post in your next reply

Satchfan

Satchfan, I had to run two scans. I will post both logs. After the first scan completed I clicked "fix" - the program cleaned the MBR, and locked up on the "verifying disinfection" scan. I had to reboot after 10 minutes, complete lock up - mouse moved but all other functions stalled (cntl alt dlt, start button, window moves, etc.). It should also be noted that several hidden files were reported in the first scan, I think these are from a windows update that installed during the scan.

I rebooted and upon entering windows a new never before scene baloon popped up in the lower right task bar, stating windows had removed harmful software. I clicked the baloon and got a report from "microsoft malicious software removal" that "trojan:dos/alureon.A was partially removed, but manual steps were required. Many other virus types were listed below this one, and all those had negative results.

I then ran the aswMBR scan again and it appeared to be clean. The FIX button was not active after the second scan.

Here are the logs.

LOG ONE

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-21 08:29:07
-----------------------------
08:29:07.000 OS Version: Windows 5.1.2600 Service Pack 3
08:29:07.000 Number of processors: 8 586 0x1A05
08:29:07.000 ComputerName: ANTEC UserName: Nate
08:29:10.453 Initialize success
08:29:16.015 AVAST engine defs: 11062002
08:29:21.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
08:29:21.046 Disk 0 Vendor: WDC_WD6400AAKS-00A7B2 01.03B01 Size: 610480MB BusType: 3
08:29:21.046 Device \Driver\atapi -> DriverStartIo 8a07253b
08:29:23.046 Disk 0 MBR read successfully
08:29:23.046 Disk 0 MBR scan
08:29:23.046 Disk 0 TDL4@MBR code has been found
08:29:23.046 Disk 0 Windows XP default MBR code found via API
08:29:23.046 Disk 0 MBR hidden
08:29:23.046 Disk 0 MBR [TDL4] **ROOTKIT**
08:29:23.046 Disk 0 trace - called modules:
08:29:23.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a0726f0]<<
08:29:23.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a113ab8]
08:29:23.046 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a1519e8]
08:29:23.046 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> [0x8a124d98]
08:29:23.046 \Driver\atapi[0x8a144c98] -> IRP_MJ_CREATE -> 0x8a0726f0
08:29:25.281 AVAST engine scan C:\WINDOWS
08:42:05.265 File: C:\WINDOWS\$NtUninstallKB2476490$\oleaut32.dll **HIDDEN**
08:42:05.328 File: C:\WINDOWS\$NtUninstallKB2476490$\spuninst\spuninst.exe **HIDDEN**
08:42:05.375 File: C:\WINDOWS\$NtUninstallKB2476490$\spuninst\updspapi.dll **HIDDEN**
08:42:05.437 File: C:\WINDOWS\$NtUninstallKB2503665$\afd.sys **HIDDEN**
08:42:05.484 File: C:\WINDOWS\$NtUninstallKB2503665$\spuninst\spuninst.exe **HIDDEN**
08:42:05.515 File: C:\WINDOWS\$NtUninstallKB2503665$\spuninst\updspapi.dll **HIDDEN**
08:42:05.562 File: C:\WINDOWS\$NtUninstallKB2535512$\mup.sys **HIDDEN**
08:42:05.593 File: C:\WINDOWS\$NtUninstallKB2535512$\spuninst\spuninst.exe **HIDDEN**
08:42:05.640 File: C:\WINDOWS\$NtUninstallKB2535512$\spuninst\updspapi.dll **HIDDEN**
08:42:05.703 File: C:\WINDOWS\$NtUninstallKB2536276$\mrxsmb.sys **HIDDEN**
08:42:05.718 File: C:\WINDOWS\$NtUninstallKB2536276$\spuninst\spuninst.exe **HIDDEN**
08:42:05.796 File: C:\WINDOWS\$NtUninstallKB2536276$\spuninst\updspapi.dll **HIDDEN**
08:42:07.515 AVAST engine scan C:\Documents and Settings\Nate
08:45:11.296 AVAST engine scan C:\Documents and Settings\All Users
08:45:28.625 Scan finished successfully
08:48:01.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Nate\Desktop\MBR.dat"
08:48:01.437 The log file has been saved successfully to "C:\Documents and Settings\Nate\Desktop\aswMBR_6.21.11

LOG TWO

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-21 09:04:52
-----------------------------
09:04:52.687 OS Version: Windows 5.1.2600 Service Pack 3
09:04:52.687 Number of processors: 8 586 0x1A05
09:04:52.687 ComputerName: ANTEC UserName: Nate
09:04:53.734 Initialize success
09:04:59.078 AVAST engine defs: 11062002
09:05:00.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
09:05:00.796 Disk 0 Vendor: WDC_WD6400AAKS-00A7B2 01.03B01 Size: 610480MB BusType: 3
09:05:02.812 Disk 0 MBR read successfully
09:05:02.812 Disk 0 MBR scan
09:05:02.812 Disk 0 Windows XP default MBR code
09:05:04.812 Disk 0 scanning sectors +1250242560
09:05:04.828 Disk 0 scanning C:\WINDOWS\system32\drivers
09:05:10.781 Service scanning
09:05:11.734 Disk 0 trace - called modules:
09:05:11.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:05:11.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a0c9ab8]
09:05:11.734 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000082[0x8a10e9e8]
09:05:11.734 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a134d98]
09:05:13.078 AVAST engine scan C:\WINDOWS
09:16:37.140 AVAST engine scan C:\Documents and Settings\Nate
09:21:28.375 AVAST engine scan C:\Documents and Settings\All Users
09:22:06.875 Scan finished successfully
09:23:02.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Nate\Desktop\MBR.dat"
09:23:02.765 The log file has been saved successfully to "C:\Documents and Settings\Nate\Desktop\aswMBR_6.21.11_2.txt"

Thank you again for your continued support!

Nate

Sorry about the delay but I didn’t receive notification of your reply so I’ll keep checking in case that happens again.

It looks like it got rid of one infection.

Download and run ComboFix

Download ComboFix from the following location:

Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt

Satchfan

No problem, I am grateful for your help! Here is the log:

ComboFix 11-06-21.08 - Nate 06/22/2011 8:20.2.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2551.1769 [GMT -5:00]
Running from: c:\documents and settings\Nate\Desktop\Utilities\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-19 19:47 . 2011-06-19 19:47 -------- d-----w- c:\program files\Common Files\Java
2011-06-19 18:53 . 2011-06-19 18:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-06-19 15:13 . 2011-06-19 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-10 05:37 . 2011-06-10 05:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-05-27 05:12 . 2011-05-27 05:12 -------- d-----w- c:\program files\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-09 19:25 . 2011-05-18 03:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 14:11 . 2010-08-05 01:12 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2010-08-05 01:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 09:52 . 2010-08-07 01:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 07:25 . 2010-08-07 01:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2009-09-30 20:34 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
"WinSys2"="c:\windows\system32\winsys2.exe" [2009-10-13 208896]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Nate\Start Menu\Programs\Startup\
Shortcut to RealTemp.exe.lnk - c:\real temp\RealTemp.exe [2009-10-1 172032]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-13 113664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"=
.
R2 COMMSB96;COMMSB96;c:\windows\system32\drivers\COMMSB96.sys [8/12/2010 8:03 PM 24776]
R2 COMMSBEP;COMMSBEP;c:\windows\system32\drivers\COMMSBEP.sys [8/12/2010 8:03 PM 44236]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/22/2011 11:20 PM 105592]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\real temp\WinRing0.sys [10/1/2009 12:50 PM 14416]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/30/2009 3:49 PM 1684736]
S3 RTCore32;RTCore32;c:\program files\MSI Afterburner\RTCore32.sys [10/18/2009 8:00 PM 12088]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WINRING0_1_2_0
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 16:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://remote.co.goodhue.mn.us/+CSCOL+/csvrloader32.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Notify-itlntfy - itlnfw32.dll
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 08:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-725345543-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:41,5e,98,f3,97,1b,58,f7,be,c0,c9,1f,6b,18,bc,42,d7,b0,bd,d1,05,
10,03,0f,b2,36,63,83,f5,7d,62,74,4b,6b,db,ac,6d,eb,17,c7,6c,da,c9,3d,96,fe,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2011-06-22 08:33:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-22 13:33
.
Pre-Run: 515,814,612,992 bytes free
Post-Run: 516,804,210,688 bytes free
.
- - End Of File - - F4D30452A95E8F36912ACACC85E2C53C

Hi Nate

That looks good

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button):

start Malwarebytes-Anti-Malware and update it, (“Update” tab}
once it is updated, click on “Scanner” tab, select Perform quick scan, then click Scan.
when the scan is complete, click OK, then Show Results to view the results.
be sure that everything is checked, and click Remove Selected.
when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Run Security Check

Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).

save it to your Desktop
double click SecurityCheck.exe and follow the onscreen instructions inside of the black box
a Notepad document should open automatically called checkup.txt; please post the contents of that document .

Please let me know if there are any remaining problems

Thanks

Satchfan

Here you go,

MB quick scan log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6923

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/23/2011 4:48:09 AM
mbam-log-2011-06-23 (04-48-09).txt

Scan type: Quick scan
Objects scanned: 160475
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Security check log:

Results of screen317's Security Check version 0.99.15
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 26
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbam.exe
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````End of Log````````````

That all looks good;

Any remaining problems?

None noted, speed seems back to normal and no more browswe re-directs ; although to be honest I have not been using this PC much in fear of the trojans and viruses. Do you think it is now safe?

It's all looking good but I think we’ll run an online scan to be sure there are no stragglers and if it’s all clear we can tidy up.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan (http://www.eset.com/online-scanner)

click the Eset online Scanner button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
double click on the Eset installer icon on your desktop
check Yes, I accept the Terms of Use
click the Start button.
accept any security warnings from your browser.
check Scan archives
push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
when the scan completes, push List of found threats
push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Note - when ESET doesn't find any threats, no report will be created.
push the back button.
push Finish
If a log has been produced post it in your next reply.

Satchfan

Satchfan, no problems found on ESET.

Hello Nate

Your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall Combofix

Follow these steps to uninstall Combofix

click START then RUN
now type Combofix /uninstall in the runbox and click OK

Note the space between the X and the /, it needs to be there.
http://i944.photobucket.com/albums/ad283/Ninamf/WTT/CFuninstall.jpg

please follow the prompts to uninstall Combofix.
once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Firewall

You're using the Windows Firewall which is not adequate protection. The main reason you should use a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop Outgoing signals (possibly ones that could intrude your privacy) from sending information to the Internet or to other networks. That means if malware happens to compromise your PC again, it will be able to SEND OUT out your credit card data and any other personal information.

I suggest you install a more robust third party firewall that filters both incoming and outgoing traffic.

Download and install one of the following freeware firewalls from below:

Sygate Personal Firewall Free Edition: (http://www.filehippo.com/download_sygate_personal_firewall/)
Zone Alarm Free (http://www.zonealarm.com/security/en-us/free-upgrade-security-suite-zonealarm-firewall-search.htm?cid=W200002&lid=en-gb&source=Google-UK-Brand&medium=Firewall&content=COPYTrustedBy-LPfreefirewall&term=ZoneAlarm%20free&campaign=Brand+FreeFirewall):
Comodo Personal Firewall: (http://www.personalfirewall.comodo.com/)

NOTE: only install one firewall. Having more than one could cause many programs to stop working altogether. Also, the firewalls may get in each other's way and cause some security holes that would not be there with just one firewall.

When you have done that:

Disable Windows firewall: Click on Start, Settings and then Control Panel
Click on the Security Center icon.
Click on the Windows Firewall icon
Click Off (not recommended) and then click OK.
You should take the time to read Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)

===================================================

Recommended programs

SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html). SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

===================================================

Update and run Malwarebytes. This really is an excellent program that you should update and run on a regular basis, probably weekly.

===================================================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker (http://www.filehippo.com/updatechecker/FHsetup.exe) is an extremely helpful program that will tell you which of your programs need to be updated.

===================================================

MVPS Hosts (http://winhelp2002.mvps.org/hosts.htm) file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

===================================================

I also recommend that you read the following:

How to prevent malware (http://miekiemoes.blogspot.com/2008/02/how-to-prevent-malware.html) by miekiemoes

Safe computing

Satchfan

Thank you, I greatly appreciate your time and knowledge. Its honorable that you are helping strangers with computer problems, some located on the other side of the planet. Keep up the good work!

Sorry for the tardy reply but again received no notification.


Thank you, I greatly appreciate your time and knowledge You are welcome

I will close this thread now.