System: Windows XP Service Pack 2
Browsers: IE 6 and Firefox 1.5.0.6
Antivirus and AntiMalware: Avast! version 4.7 Home Edition; Spybot 1.4; Ad-aware (latest version)


I was browsing on the internet (firefox) and downloaded a file called win32.exe which I thought meant that the software ran on windows as opposed to mac or something. I clicked it and nothing visually seemed to happen. So, I tried to click open Task Manager, and it said that "The Task Manager has been disabled by the system administrator." The computer also started to run a little sluggish. I ran my antivirus at bootup and it found a couple of trojans, the names of which I cannot remember. After that it booted up the PC but most of the problems were still there with the exception of random IE windows opened linking to porn sites. I decided to run Spybot and it gave me a couple of spyware entries ranging from CoolWWWSearch to TaskManager being disabled in Registry. Spybot said that it fixed all the entries it found.

Up to this point, I deleted a couple of files which I knew to be part of the virus/malware. These included spoolsvv.exe, msrdursc.exe, artm_new.dll (this one keeps coming back), aspi62158.exe and others which I think are generated by a random number generator. I've also cleaned out all the temp files in Documents and Settings and WINDOWS (I left the History, Cookies and other system related folders intact, while deleting their contents.) Right now, their is a process in the Processes tab of Task Manager called iexplore.exe. When I delete the process, it comes right back. As opposed to the real iexplore.exe process which is about 30,000 KB of memory, this one is only 2,000 KB. If I try to remove the process in Spybot, it says that "The path 'iexplore.exe' does not exist or is not a directory.'" Internet Explorer itself is really slow after I caught the virus yesterday.

Logfile of HijackThis v1.99.1
Scan saved at 11:44:01 AM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HOTTPR~1.0\HOTTPR~1.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Shonie\My Documents\refreshlock\RefreshLock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shonie\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [RefreshLock] C:\Documents and Settings\Shonie\My Documents\refreshlock\RefreshLock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinColor.lnk = C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131678452703
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/components/ImageUploader3.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EC37B9A-57BA-4AE9-83B2-2242652BDEAA}: NameServer = 167.206.3.207,167.206.3.141
O20 - AppInit_DLLs: wmspfsus.dll lprhwmpl.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi65158.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Thanks
LeoBloom

Incident Status Location

Adware:adware/savenow Not disinfected c:\program files\Save
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/ist.sidefind Not disinfected Windows Registry
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.go.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.mp3search.ru/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[.target.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[c.goclick.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[server.iad.liveperson.net/hc/12511569]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[server.iad.liveperson.net/hc/80570461]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[server.iad.liveperson.net/hc/89178482]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt[server.iad.liveperson.net/hc/LPneimanmarcus]

hi LeoBloom,

first we will use hjt then boot to safe mode to look for and delete a file or two. first do this:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
-------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: Shell=

O20 - AppInit_DLLs: wmspfsus.dll lprhwmpl.dll

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
-----------------------------------------
might want to copy/paste the rest of thsi into notepad and save it somewhere so you can read it in safe mode

now boot into safe mode, you reach safe mode by tapping the f8 key during a computer reboot. chose the first option safe mode.

next:
look here>C:\Documents and Settings\All Users\Documents\Settings
and see if you can find and delete thsi file:artm_new.dll

look here>c:\program files and delete the entire Save folder

also in safe mode run your antivirus and spybot search and destroy
---------------------------------------------
reboot normally, go out and grab the 30day version of ewido anti malware:
* Install Ewido Anti-Malware

http://download.ewido.net/ewido-setup.exe

* Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

* On the top of the main screen click Shield
* Click the word active to change it to inactive
* On the top of the main screen click Update.
* Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating:

* run Ewido.
* Click Scanner
* Click on the Scan tab
* Click Complete System Scan to begin scanning.
* When the scan is complete click Recommended Action and change it to Quarantine
* Then click Apply all actions

Once finished, click the Save report button, then click Save Report As. This will create a text file.

Make sure you know where to find this file again (like on the Desktop).
--------------------------------------------
reboot once after the above, see if things have improved.

shelf life

Hello Shelf Life

HJT removed the first three listings you told me to remove, but didn't do anything to the forth: artm_new.dll. When the "Fix the checked items" finished, I got this error message

http://img478.imageshack.us/img478/681/errorsd3.jpg (http://imageshack.us)

In safe mode, I noticed a strange thing. My CPU was always at 100% and that process, iexplore.exe, kept appearing and rapidly disappearing in the task manager, with falling and rising memory usage. Also, even in safe mode, I couldn't delete the file artm_new.dll because it said that the file was currently in use. All the ewido scanner could find was tracking cookies (so far, its still running), while Spybot showed everything to be clean. If ewido finds something else, I will post again, but if it doesn't, I won't.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:47:50 PM 8/7/2006

+ Scan result:



C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP762\A0152580.ocx -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0156115.exe -> Downloader.IstBar.er : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155789.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155790.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155791.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155666.exe -> Downloader.Small.cyf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155699.exe -> Downloader.Small.cyf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155787.exe -> Downloader.Small.dht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155788.exe -> Downloader.Small.dht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0155647.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155670.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155696.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0155645.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155671.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155695.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155781.exe -> Downloader.Tibs.gu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155794.exe -> Downloader.Tibs.gu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155683.exe -> Logger.EmailSpy.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155785.exe -> Logger.EmailSpy.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155668.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\spoolsvv.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155784.exe -> Proxy.Lager.cg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0155792.exe -> Proxy.Lager.cg : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.43:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.659:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.660:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.726:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.727:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.735:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.736:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.737:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.738:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.739:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.60:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.63:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.568:C:\Documents and Settings\Shonie\Application Data\Mozilla\Firefox\Profiles\pbdyv5cf.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.


::Report end

hi LeoBloom,

lets try this. download killbox:

http://www.geekstogo.com/forum/index.php?act=dscript&CODE=showdetails&f_id=2

start killbox, select Delete on reboot option, then in the address bar type or copy and paste the following one at a time:

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

click on the red X, at the prompt to reboot select YES at the next prompt to reboot now select NO and continue to copy paste these two:

C:\WINDOWS\system32\wmspfsus.dll

click on red x at prompt to reboot select yes, reboot now, no

continue with this one:

C:\WINDOWS\system32\lprhwmpl.dll

at the last prompt to reboot now, this time say yes to reboot computer.
--------------------------------------
after reboot go to one of these for a online scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
check AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
check Auto Clean.

F-Secure virus scanner
http://support.f-secure.com/enu/home/ols.shtml


eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

shelf life

Thanks a lot Shelf Life

The virus is completely gone, and I don't have that iexplore.exe anymore.

hi LeoBloom,

its gone? you sure. at least do a online scan or two at one of these:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
check AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
check Auto Clean.

F-Secure virus scanner
http://support.f-secure.com/enu/home/ols.shtml


eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

I'm clean. Thanks.

Actually, all the different anti-virus scans pick up something different every time. Is it best to run them all, or to reinstall Windows completely?

hi LeoBloom

one or two should be enough. most malware can be cleaned up-- no need to reinstall windows unless thats what you want to do. its possible that each might find something different, or a leftover. does the scanner delete or remove the files it finds. does your av on your computer find anything?

its also possible they are finding it in your restore files. you see that ewido log all this:C:\System Volume Information\_restore
are your system restore files. malware can get archived in the restore points

so lets try making new restore points. like this:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.( makes new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

shelf life

It seems each was detecting leftovers, I turned off my system restore right after I did the ewido scan.

My AV comes out clean, so I guess everything is alright now, thanks.

hi LeoBloom,

sorry for delay.


My AV comes out clean, so I guess everything is alright now

good. some reference material for you:

Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Learn more about the program, Does it come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE? Check this database:Spyware Guide (http://www.spywareguide.com/) or this: Library (http://research.sunbelt-software.com/Browse_Library.cfm)before installing free/shareware.

Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. These patch flaws/bugs that can be exploited.

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox (http://www.mozilla.org/products/firefox/),


Install a Firewall:A firewall will help to control what comes in from the internet and what leaves your computer to the internet. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. XP firewall dosnt block outbound traffic. Its important to know/learn what routinely needs a internet connection.
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass)
OutPost Lite (http://www.agnitum.com/products/outpostfree/download.php)
Jetico Personal Firewall (http://www.jetico.com/index.htm#/jpfirewall.htm)
Look n Stop (http://www.looknstop.com/En/index2.htm)

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser, but this was the old Outlook Service Pack 2 has made huge improvements to Outlook, but just like with Internet Explorer, you dont have to use it.
try Pegasus E-Mail. (http://www.pmail.com/)

Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)
Clam Win (http://www.Clamwin.com/component/option,com_frontpage/Itemid,1/)

Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.


AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Anti-Spyware (http://www.ewido.net/en/)
Trojan Hunter (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)

Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
ATF cleaner (W2K,XP only) (http://www.atribune.org/content/view/25/2/) cleans out temp files,history, autoforms etc

Learn More:
Test Your Browser (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes page (http://security-central.us/SafeHex/index.htm)
Browser Security Checkup (http://bcheck.scanit.be/bcheck/)

As the problem appears to be resolved this topic has been archived. :)

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.