Multiple problems, begining with CLICK ME! an evil program

[pablonice]

Hi,

I've been running my computer in safe mode for almost 6 months now. Just realized that I could do this. My problem is that I have a program on my computer thats called "Click Me." When I have the computer in regular mode and connect to the Internet this program charges 100s of dollars to my telephone account. So its really bad. As well, I have tried everything to get rid of it, but it reinstalls somehow every time I remove it. So, I'm writing hoping someone here can help.

I have read the instructions and tried to follow them the best I could. However, because I can't connect to the Internet with my computer in normal mode, I couldn't do several of the steps. However, I have:

1. ran the scanners (adware etc) with computer in normal mode
2. couldn’t do the antivirus online scan (because of aforementioned problem)
3. uninstalled all programs in Steps 3 and 4 present in normal mode
4. I believe the operating system is updated.

So, I think all I have to do is now paste my hijack file here. So I'll do that. If I've done something wrong, please let me know.

Thanks in advance for your help.

Brian


Logfile of HijackThis v1.99.1
Scan saved at 6:07:55 PM, on 5/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hij\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\cmdex.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TkBellExee] C:\WINDOWS\realschd.exe
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Brian\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemik32.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\gcasServ.exe /i
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\mexico.exe -N
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\Program Files\IOGear\ION\IoctlSvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[alba]

Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.


We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

regards
alba

[pablonice]

thanks alba. i appreciate your help.

[alba]

Hello Brian

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


You have multiple infections we will tackle these over a couple of runs, We will tackle the dialler problem first so that you can go back online in normal mode If you connect to the Internet in safe mode you have no antivirus protection

=================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Download About Buster 6.0 and unzip it to your desktop.

=================

Download Brute Force Uninstaller.
Unzip it to it's own folder (c:\BFU)


RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Derbiz Remover. Save it in the folder you made earlier (c:\BFU)

=================
Download LQfix.exe and place it on your desktop.

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


STAY IN SAFE MODE

=================

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfuderbiz.bfu
Press execute and let it do it's job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

=================

• Doubleclick LQfix.exe and click install.
• Leave the default settings. If you change them, the fix will fail.
• Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
• Follow the prompts on the screen.
• Your system will reboot afterwards.
• Please be patient after reboot, because there is a script running in the background

===============================================

Next, reboot your computer in SafeMode :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

===============================================

Run AboutBuster 6.0 and select "Begin Removal". Make sure you click "Yes" to every message box that appears.
Restart your computer, and go back into safe mode and run AboutBuster one final time.
=================

Fixing Entries with HijackThis

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\cmdex.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [TkBellExee] C:\WINDOWS\realschd.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Brian\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\gcasServ.exe /i
O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)


Please remember to close all other windows, including browsers then click Fix checked.

===============================================


Deleting Files/Folders

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK


Locate and delete the following files:

• C:\WINDOWS\cmdex.dll
  c:\windows\system\BHOmod.dll
  C:\WINDOWS\newsd32.exe
  C:\WINDOWS\realschd.exe
  C:WINDOWS\sixtypopsix.exe
  C:\WINDOWS\svchst.exe
  C:\WINDOWS\msexploren.exe
  C:\WINDOWS\System32\ezSP_Px.exe
  C:\WINDOWS\System32\tss.exe
  

Search for & delete ... using Start> Search... the following files:

• csrssp.exe
  msnupdateit.exe
  

=================

Purging Temp Folders

Open Start > All Programs > accessories > System tools > Click on Disk Cleanup
Let that run It may take a while to perform the clean up so please be patient

=================

Run Ewido

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


===============================================


REBOOT TO NORMAL MODE

IMPORTANT!:


Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/downlo...p1a_en_x86.exe


Thank you for your cooperation.

===============================================

Running Additional Scanners

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:

1. Ab LogFile.txt
2. Ewido
3. Online scan
4. HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[pablonice]

Alba,

I've finished following the instructions. The only thing of note to report is that after running About Buster and when exiting the program I got a pop-up message that read:

run time error 339
Compenent 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.

Other than that I was able to perform the steps without any problems, and the program ("click me") that had been giving me so many problems has not re-installed itself (as far as I can tell).

I can't find the AB log file, but I'm going to cut and paste the others below. Thanks again, Brian

EWIDO

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:10:02 PM, 5/20/2006
+ Report-Checksum: D54829F8

+ Date of database: 6/22/2005
+ Version of scan engine: v3.0

+ Duration: 53 min
+ Scanned Files: 48723
+ Speed: 15.06 Files/Second
+ Infected files: 3
+ Removed files: 3
+ Files put in quarantine: 3
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Brian\Cookies\brian@27356639[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End


ACTIVESCAN


Incidencia Estado Elemento

Dialer:Dialer.B No desinfectado C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Dialer:dialer.xd No desinfectado c:\documents and settings\all users\start menu\For your eyes only.lnk
Dialer:dialer.xe No desinfectado C:\Documents and Settings\Brian\Start Menu\Click Me.lnk
Dialer:dialer.baj No desinfectado c:\windows\internt.exe
Spyware:spyware/adclicker No desinfectado c:\windows\usta33.ini
Adware:adware/sahagent No desinfectado c:\windows\system32\SahImages
Dialer:dialer.avv No desinfectado hkey_classes_root\clsid\{2E246FAE-8420-11D9-870D-000C2917DE7F}
Adware:adware/mssearch No desinfectado Registro de Windows
Adware:adware/startpage.mc No desinfectado Registro de Windows
Adware:adware/dyfuca No desinfectado Registro de Windows
Adware:adware/ist.istbar No desinfectado Registro de Windows
Adware:adware/ist.sidefind No desinfectado Registro de Windows
Adware:adware/wazzup No desinfectado Registro de Windows
Adware:adware/exact.bargainbuddy No desinfectado Registro de Windows
Spyware:Cookie/Atlas DMT No desinfectado C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\8yset31t.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Searchportal No desinfectado C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[searchportal.information.com/]
Spyware:Cookie/WUpd No desinfectado C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.revenue.net/]
Spyware:Cookie/Casalemedia No desinfectado C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter No desinfectado C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Zedo No desinfectado C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.zedo.com/]
Spyware:Cookie/Apmebf No desinfectado C:\Documents and Settings\Brian\Cookies\brian@apmebf[2].txt
Spyware:Cookie/Atlas DMT No desinfectado C:\Documents and Settings\Brian\Cookies\brian@atdmt[2].txt
Spyware:Cookie/Bluestreak No desinfectado C:\Documents and Settings\Brian\Cookies\brian@bluestreak[2].txt
Spyware:Cookie/Mediaplex No desinfectado C:\Documents and Settings\Brian\Cookies\brian@mediaplex[1].txt
Spyware:Cookie/2o7 No desinfectado C:\Documents and Settings\Brian\Cookies\brian@microsoftwga.112.2o7[1].txt
Spyware:Cookie/QkSrv No desinfectado C:\Documents and Settings\Brian\Cookies\brian@qksrv[2].txt
Adware:Adware/MediaTickets No desinfectado C:\hij\backups\backup-20060520-160309-237.inf
Dialer:Dialer.ABR No desinfectado C:\hij\backups\backup-20060520-160309-989.inf
Adware:Adware/PurityScan No desinfectado C:\hij\backups\backup-20060520-160310-438.inf
Virus:Trj/KillAV.CX Desinfectado C:\WINDOWS\1.cmd
Virus:Trj/Downloader.BWZ Desinfectado C:\WINDOWS\blankpage.html
Dialer:Dialer.Gen No desinfectado C:\WINDOWS\switchagreement.txt
Spyware:Cookie/Gaytrafficbroker No desinfectado C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[gaytrafficbroker.com/]
Spyware:Cookie/Outster No desinfectado C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[.outster.com/]
Spyware:Cookie/SexList No desinfectado C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[.sexlist.com/]


HIJACK THIS
Logfile of HijackThis v1.99.1
Scan saved at 8:15:32 PM, on 5/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Toshiba\ivp\netint\netint.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hij\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\mexico.exe -N
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C438C2FE-42BC-4970-B28E-F28EFB24FBC3}: NameServer = 200.52.12.131 200.52.12.132
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\Program Files\IOGear\ION\IoctlSvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[alba]

Hi Brian

IF You don not update your system you will become reinfected again

IMPORTANT!:


Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/downlo...p1a_en_x86.exe


Thank you for your cooperation.

alba

[pablonice]

hi alba,

sorry about that. since my computer d/ls updates automatically i supposed that it already had everything.

so i went back a started again at the step when you d/l the security package and then preceeding through the rest of the steps. thus the ewido log is the same as last time, but the panda and hijack logs reflect the security update.

i hope i followed the instructions correctly this time. thanks again for your help.

brian


EWIDO
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:10:02 PM, 5/20/2006
+ Report-Checksum: D54829F8

+ Date of database: 6/22/2005
+ Version of scan engine: v3.0

+ Duration: 53 min
+ Scanned Files: 48723
+ Speed: 15.06 Files/Second
+ Infected files: 3
+ Removed files: 3
+ Files put in quarantine: 3
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Brian\Cookies\brian@27356639[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

PANDA


Incident Status Location

Dialer:Dialer.B Not disinfected C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Dialer:dialer.xd Not disinfected c:\documents and settings\all users\start menu\For your eyes only.lnk
Dialer:dialer.xe Not disinfected C:\Documents and Settings\Brian\Start Menu\Click Me.lnk
Dialer:dialer.baj Not disinfected c:\windows\internt.exe
Spyware:spyware/adclicker Not disinfected c:\windows\usta33.ini
Adware:adware/sahagent Not disinfected c:\windows\system32\SahImages
Dialer:dialer.avv Not disinfected hkey_classes_root\clsid\{2E246FAE-8420-11D9-870D-000C2917DE7F}
Adware:adware/mssearch Not disinfected Windows Registry
Adware:adware/startpage.mc Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/wazzup Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\8yset31t.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[searchportal.information.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.revenue.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.zedo.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Brian\Cookies\brian@microsoftwga.112.2o7[1].txt
Adware:Adware/MediaTickets Not disinfected C:\hij\backups\backup-20060520-160309-237.inf
Dialer:Dialer.ABR Not disinfected C:\hij\backups\backup-20060520-160309-989.inf
Adware:Adware/PurityScan Not disinfected C:\hij\backups\backup-20060520-160310-438.inf
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\switchagreement.txt
Spyware:Cookie/Gaytrafficbroker Not disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[gaytrafficbroker.com/]
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[.outster.com/]
Spyware:Cookie/SexList Not disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[.sexlist.com/]

HIJACK

Logfile of HijackThis v1.99.1
Scan saved at 12:54:50 PM, on 5/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hij\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\mexico.exe -N
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C438C2FE-42BC-4970-B28E-F28EFB24FBC3}: NameServer = 200.52.12.131 200.52.12.132
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\Program Files\IOGear\ION\IoctlSvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[alba]

Hello brian
No worries, could you tell me if your able to update your antivirus definitions

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.


=================

Download CCleaner - and Install it.
*Note* On the install please uncheck the option "Add CCleaner Yahoo toolbar and use CCleaner from within IE"
================

Please download The latest version ofEwido Anti-Malware

• Install ewido anti-malware
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

=================

Download this ISTbar Removal Tool and run it.

=================

Download this FxNetOpt
and run it.

===============================================

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

==============================================

Next, reboot your computer in SafeMode :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

=================

Fixing Entries with HijackThis

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\mexico.exe -N



Please remember to close all other windows, including browsers then click Fix checked.

===============================================


Deleting Files/Folders

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

• C:\Program Files\Linksys
  c:\windows\system32\SahImages
  

Locate and delete the following files:

• c:\documents and settings\all users\start menu\For your eyes only.lnk
  C:\Documents and Settings\Brian\Start Menu\Click Me.lnk
  c:\windows\internt.exe
  c:\windows\usta33.ini
  C:\WINDOWS\switchagreement.txt
  C:\WINDOWS\System32\temp532.exe
  C:\WINDOWS\System32\mexico.exe
  

Search for & delete ... using Start> Search... the following files:

• msnupdateit.exe

---Did you search and find this last time, if found please give me the full path of where

=================

Run CCleaner
1. Open the program and the "Cleaner" button should be active.
2. Click on "Run Cleaner"
3. Once thats done it will clean out the TEMP folder.
4. Now click on "Issues" and then "Scan for Issues"
5. Once it's done checkmark ALL it finds and click "Fix Selected Issues"
6. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back.

Close the program.

=================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

=================

Please download the file attached - AlbaFix.zip
From within AlbaFix.zip, doubleclick AlbaFix.reg & allow it to merge with the Registry

===============================================

REBOOT TO NORMAL MODE


Running Additional Scanners
Establish an internet connection & perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:

1. Ewido
2. Online scan
3. HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves no

[pablonice]

hi alba,

i should be able to update my virus definitions. did you have a particular program in mind, or is that part of this fix?

in any case, i should have time tomorrow to take care of everything. i'll let you know once i finish.

thanks,
brian

[alba]

I just wanted to be sure after you ran this fix that Nortons was working ok

[pablonice]

hi alba,

i'm running into a problem with the reg file. everything else went smoothly but when i tried to incorporate the albafix file it gave me the following error message:

Cannot import
Not a registery script. You can only import binary registrey files from within the registry editor.

Any ideas?

[alba]

hi ya

Thats OK just carry on with the rest of the fix and we will sort that problem later

alba

[pablonice]

hi alba,

okay. i finished the process. here are the logs

EWIDO
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:48:01 AM, 5/25/2006
+ Report-Checksum: 447BEDA

+ Scan result:

HKLM\SOFTWARE\Classes\WEBInstaller.CExecute -> Adware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CLSID -> Adware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CurVer -> Adware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute.1 -> Adware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\salm -> Adware.180Solutions : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\salm -> Adware.180Solutions : Cleaned with backup
C:\WINDOWS\svchos1at.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup
:mozilla.12:C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup


::Report End

ACTIVE SCAN


Incident Status Location

Adware:adware/wazzup Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\ltwlb12l.slt\cookies.txt[.as-us.falkag.net/]
Adware:Adware/MediaTickets Not disinfected C:\hij\backups\backup-20060520-160309-237.inf
Dialer:Dialer.ABR Not disinfected C:\hij\backups\backup-20060520-160309-989.inf
Adware:Adware/PurityScan Not disinfected C:\hij\backups\backup-20060520-160310-438.inf
Spyware:Cookie/Gaytrafficbroker Not disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[gaytrafficbroker.com/]
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\gr3fwi9x.slt\cookies.txt[.outster.com/]

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 8:17:09 PM, on 5/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\hij\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C438C2FE-42BC-4970-B28E-F28EFB24FBC3}: NameServer = 200.52.12.131 200.52.12.132
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\Program Files\IOGear\ION\IoctlSvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[alba]

Hi Brian

The updated Ewido and Microsoft security updates make a big difference in keeping your pc free from infection
Please do the following,

Open Mozilla Firefox and go to

• Click on Tools
• Click on Options
• Click on Privacy
• Click on Clear for Cookies and Cache

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
   
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
4. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
5. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
6. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
7. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
  
  
• SpywareGuard to catch and block spyware before it can execute.
  
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[pablonice]

thanks alba. i really appreciated your help.

brian