Took steps to speed up slow computer but may still have traces of spyware or viruses.

[jabberwockdb]

Hi,

I have read the posts regarding fixing slow computers and the 5 steps to take prior to posting here. After taking these steps, my computer sped up a little; however, I noticed some things that make me believe I still have viruses or spyware.

Possible Issues:
I am now running Mcafee Total Protection for Small Business. When the computer starts up, I notice that the realtime Virus protection is sometimes disabled. I am not sure if a spyware or virus is disabling it. The Mcafee firewall also reported a file GLB46.tmp attempting to access the internet.

In looking at the registry items listed in Autoruns, I found at least two items that are tagged by http://www.bleepingcomputer.com/startups/ as potential virus or trojan files. The two files I first noticed are userinit.exe and Explorer.exe. I suspect there are others. I did not want to try to disable or remove these without your assistance.

I have run DSS a few times; however, I noticed that the extra.txt file was only created on the first run. Prior to the first run, I had used msconfig to limit items from loading at startup. After returning msconfig to normal startup and using CCLeaner, I have rerun DSS , but no extra.txt file was generated. I will attach the only copy of extra.txt I have. If you need a current version of extra.txt, please let me know how I can have one regenerated.

Thanks in advance!!

Here is the main.txt from DSS:

Deckard's System Scanner v20071014.68
Run by A276BEL on 2008-06-06 14:30:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as A276BEL.exe) ---------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-06 14:32:43
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHALDCS.EXE
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
D:\data\my documents on d\installation\dss.exe
C:\Program Files\Trend Micro\HijackThis\A276BEL.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pc-180-16-215-201.cm.vtr.net:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Internet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O15 - Trusted Zone: *.aaa.com (HKCU)
O15 - Trusted Zone: *.buy.com (HKCU)
O15 - Trusted Zone: *.godaddy.com (HKCU)
O15 - Trusted Zone: *.jabberwock.net (HKCU)
O15 - Trusted Zone: http://jhfunds.com (HKCU)
O15 - Trusted Zone: http://jhnetwork.com (HKCU)
O15 - Trusted Zone: http://jhsalesnet.com (HKCU)
O15 - Trusted Zone: *.nickandelsa.com (HKCU)
O15 - Trusted Zone: https://www.sfnclientfacts.com (HKCU)
O15 - ProtocolDefaults: Unknown 'myui' protocol is in Trusted Zone (HKLM)
O15 - ProtocolDefaults: Unknown 'myrm' protocol is in Trusted Zone (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113925648917
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} () - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) - https://java.sun.com/update/1.5.0/ji...ndows-i586.cab
O16 - DPF: {9800DFDB-CC8D-48A3-AC45-2C313C5683CE} () - https://www.sfnclientfacts.com/ba32/...oadPicture.CAB
O16 - DPF: {984425BF-82C1-11D6-8152-00B0D026F003} () - http://hub.jhancock.com/mfcentral/co...nchNotesDB.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} () - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} () - http://download.yahoo.com/dl/install...od/yregcfg.cab
O16 - DPF: {B5665C6C-2E8C-4b23-A5B7-B137CF1064EF} () - http://kdx.omn.org/securedelivery/omn/omn.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} () - https://secure-extranet-integ.jhnetw...intControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - https://www.sfnclientfacts.com/ba32/Include/todg7.CAB
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - (no file)
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.7.0.538.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHALDCS.EXE
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe


--
End of file - 11142 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 12:28:11 0 dr-h----- C:\Documents and Settings\A276BEL\Recent
2008-06-05 11:36:58 0 d-------- C:\Program Files\Panda Security
2008-06-05 08:18:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\VSee
2008-06-04 16:10:32 0 d-------- C:\Program Files\PC Wizard 2008
2008-06-04 15:36:52 0 d-------- C:\Program Files\Trend Micro
2008-05-14 10:01:38 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-14 09:54:51 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-07 23:25:30 0 d-------- C:\Program Files\Bomgar


-- Find3M Report ---------------------------------------------------------------

2008-06-06 11:21:43 0 d-------- C:\Program Files\epson
2008-06-06 11:21:42 0 d-------- C:\Program Files\Google
2008-06-06 11:09:03 0 d-------- C:\Program Files\TweakNow RegCleaner
2008-06-06 10:48:42 0 d-------- C:\Program Files\Yahoo!
2008-06-06 10:37:32 0 d-------- C:\Program Files\JAP
2008-06-06 10:17:05 0 d-------- C:\Program Files\FlashGet
2008-06-06 10:16:31 0 d-------- C:\Program Files\eXtech.net
2008-06-06 10:15:40 0 d-------- C:\Program Files\FileZilla Client
2008-06-06 10:13:38 0 d-------- C:\Program Files\DivX
2008-06-06 08:40:45 0 d-------- C:\Program Files\Common Files
2008-06-05 20:50:23 0 d-------- C:\Program Files\SpywareBlaster
2008-06-05 08:34:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-05 08:17:17 0 d-------- C:\Documents and Settings\A276BEL\Application Data\VSee
2008-06-05 08:15:11 0 d-------- C:\Program Files\VSee
2008-06-04 20:16:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 20:12:11 0 d-------- C:\Program Files\Common Files\JHIllustrator
2008-06-03 11:14:01 8562 --a------ C:\WINDOWS\mozver.dat
2008-05-29 14:34:11 0 d-------- C:\Documents and Settings\A276BEL\Application Data\SiteAdvisor
2008-05-28 11:20:23 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-22 11:32:20 0 d-------- C:\Program Files\Real
2008-05-22 11:28:53 0 d-------- C:\Program Files\Forecaster
2008-05-22 11:23:19 0 d-------- C:\Program Files\CLEM CHEM 220
2008-05-22 11:22:20 0 d-------- C:\Program Files\Bulk Rename Utility
2008-05-22 11:21:02 0 d-------- C:\Documents and Settings\A276BEL\Application Data\ESTsoft
2008-05-21 18:42:26 0 d-------- C:\Program Files\Star Downloader
2008-05-21 13:42:33 0 d-------- C:\Program Files\WebEx
2008-05-21 13:31:47 0 d-------- C:\Program Files\Skype
2008-05-21 07:37:48 0 d-------- C:\Documents and Settings\A276BEL\Application Data\AdobeUM
2008-05-20 08:12:52 0 d-------- C:\Program Files\SiteAdvisor
2008-04-20 23:56:09 27528 --a------ C:\Documents and Settings\A276BEL\Application Data\GDIPFONTCACHEV1.DAT
2008-04-15 16:10:09 0 d-------- C:\Program Files\MSECache


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [01/22/2008 10:09 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6021\SiteAdv.exe" [02/03/2007 11:25 AM]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [01/22/2008 10:09 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/29/2007 11:08 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [02/16/2005 05:15 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [11/11/2005 07:30 PM]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [07/31/2003 02:52 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 03:55 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/20/2006 05:34 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/04/2006 01:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [10/12/2006 04:10 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
Debugger=C:\data\ProcessExplorerNt\procexp.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- "G:\Install FreeAgent Tools.exe" /run




-- End of Deckard's System Scanner: finished at 2008-06-06 14:34:03 ------------

[jabberwockdb]

Bump.

Needed to repost activescan log.

[jabberwockdb]

Bump.

[jabberwockdb]

Are posts to this forum triaged based on severity?

I don't see a pattern as to why some posts are responded to on the same day versus days, weeks or months later. It has been a week since I first posted. I'm a patient person, but it bothers me that others who have posted after me are getting help sooner. I can only assume others have bigger problems than mine. If that's the case or if my computer looks clean, please let me know.

I thought I followed all the rules and self help before posting, but I still haven't had a response. Did I do something wrong? Can anyone just post a reply?

Thanks

[amateur]

Hi,

Bumping your thread multiple times makes your thread overlooked. As can be seen in Step5 of our important-read-before-posting-malware-removal-help sticky, we require that no one bump a thread before 72 hrs have passed, and then, only once. Otherwise, it makes it seem as though it's being handled.

We look for 0 or 1 reply threads, working from the back to the front, chronologically. This forum is very busy, and helpers are all volunteers with real life issues and would appreciate patience and following of the rules.

Yes, we also have to perform a triage...if a set of logs does not appear to be infected, unfortunately, that one will get passed over in favor of those with a more immediate need.

Quote:

In looking at the registry items listed in Autoruns, I found at least two items that are tagged by http://www.bleepingcomputer.com/startups/ as potential virus or trojan files. The two files I first noticed are userinit.exe and Explorer.exe.

They are legitimate Windows files, although they could be used by malware, which doesn’t seem to be the case here.

===============================

Total Physical Memory: 254 MiB (512 MiB recommended).

This is a major cause for sluggishness. You need to increase the memory.

===============================

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Internet.lnk = ?
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

Are you using this proxy? If not, you can include the following in the fix too:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pc-180-16-215-201.cm.vtr.net:8080


It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust these sites to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please check them to be removed:

O15 - Trusted Zone: *.aaa.com (HKCU)
O15 - Trusted Zone: *.buy.com (HKCU)
O15 - Trusted Zone: *.godaddy.com (HKCU)
O15 - Trusted Zone: *.jabberwock.net (HKCU)
O15 - Trusted Zone: http://jhfunds.com (HKCU)
O15 - Trusted Zone: http://jhnetwork.com (HKCU)
O15 - Trusted Zone: http://jhsalesnet.com (HKCU)
O15 - Trusted Zone: *.nickandelsa.com (HKCU)
O15 - Trusted Zone: https://www.sfnclientfacts.com [This is a link to a secure site (https://www.sfnclientfacts.com). The current site is not secure.] (HKCU)

The following activeX controls( Downloaded Program Files)will reinstall when(and if) you revisit that website,
UNLESS you know they are from a safe source, check to remove.

O16 - DPF: {9800DFDB-CC8D-48A3-AC45-2C313C5683CE} () - https://www.sfnclientfacts.com/ba32/...oadPicture.CAB
O16 - DPF: {984425BF-82C1-11D6-8152-00B0D026F003} () - http://hub.jhancock.com/mfcentral/co...nchNotesDB.CAB
O16 - DPF: {B5665C6C-2E8C-4b23-A5B7-B137CF1064EF} () - http://kdx.omn.org/securedelivery/omn/omn.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} () - https://secure-extranet-integ.jhnetw...intControl.cab
O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - https://www.sfnclientfacts.com/ba32/Include/todg7.CAB

O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - (no file)

Close all browsers and windows other than HijackThis and click on "fix checked".

==================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

==================================

Restart your computer for the changes to take effect.

==================================

There are some infected mail in your thunderbird email client in D drive. Go ahead and delete them. They could be backups or in the junk/spam mail folder. I am not familiar with thunderbird. So, you'll have to figure them out yourself.

D:\data\_thunderbird_email\Mail\Local Folders\Inbox[readme.zip][readme.scr]
D:\data\_thunderbird_email\Mail\mail.??????????.com\Inbox.sbd\spam.sbd\spoofed spam

These appear to be in the Trash folder. Just delete the contents of the folder.

D:\data\_thunderbird_email\Mail\mail.??????????.com\Trash[postcard.exe]
D:\data\_thunderbird_email\Mail\mail.??????????.com\Trash[~0001016.~][Greeting Card.exe]


======================================
Also delete these files:

D:\Download\bmark.exe
C:\Program Files\Dacris Benchmarks 5.0\DLL\3dtest.dll

Delete this link from your favorites:

c:\documents and settings\usera276\favorites\sidestep.url

======================================

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer.

========================================

Please post a fresh HijackThis log.

[jabberwockdb]

Thanks Amateur!

Sorry about the extra bump. I did read all the directions prior to my first post. However after 7 days, I didn't recall the part that said helpers only search for topics with 0 or 1 replies. I only remembered the part which said not to bump before 72 hours. Hence one bump after 72 hours and a second bump after 144 hours.

Apparently I am not the only one who has had this misconception; I've seen a few other threads where the authors have replied every 72 hours and still have no help. Maybe the directions could be reworded to make a more lasting impression... "BUMP no more than once or your topic will not be seen by any volunteers." Just a thought, cuz I know first hand, my memory for directions drops off exponentially with time.

I made the changes you suggested and also disabled a few services from loading at startup. My computer is definitely faster. Thanks.

How concerned do I need to be that corrupted versions of bmark.exe and 3dtest.dll were found on my computer? In addition, I am still pretty concerned that my firewall detected GLB46.tmp attempting to access the internet. Since I cleared out my temp folders, does that mean this threat was also deleted? Did this malware do anything with my data or use any keylogger?

Thanks again,
David

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:50 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\data\ProcessExplorerNt\procexp.exe
C:\Program Files\ExamDiff\ExamDiff.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} -
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113925648917
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe

--
End of file - 5465 bytes

[amateur]

Hi,

Quote:

How concerned do I need to be that corrupted versions of bmark.exe and 3dtest.dll were found on my computer? In addition, I am still pretty concerned that my firewall detected GLB46.tmp attempting to access the internet. Since I cleared out my temp folders, does that mean this threat was also deleted? Did this malware do anything with my data or use any keylogger?

bmark.exe [arc2.zip] and 3dtest.dll were not corrupt, they were infected but not active. It appears that you downloaded them yourself, perhaps from a p2p or a crack site? Visiting dubious sites and downloading cracks are a sure way to get infected.

This is also a good time to warn you about p2p filesharing. The nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. If you're using andy p2p software, I recommend very strongly that you remove it from your system via Add/Remove Programs in Control Panel.


As for the GLB46.tmp, it's mentioned in connection with BeInSync software, but I didn't see that software in your Add or Remove list. Does it still attempt to access the internet?

I see ExamDiff running now. Are you a software developer?

===============================

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

http://i275.photobucket.com/albums/j...g/KAS/KAS9.gif


Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[jabberwockdb]

Hi Amateur,

I haven't seen GLB46.tmp attempt to access the internet again because I had blocked it by the McAfee Total Protection firewall. Unfortunately, I don't know if this version of McAfee keeps a log of attempts.

I used to be in IT many years ago, and I just downloaded examdiff to compare the changes to the HJT logs.

Here are the results of Kaspersky Online Scanner

Thanks again for your help.

David

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 15, 2008 14:57:52
Records in database: 867406
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 106733
Threat name: 5
Infected objects: 7
Suspicious objects: 5
Duration of the scan: 04:51:34


File name / Threat name / Threats count
C:\Documents and Settings\A276BEL\YugmaSkype\lib\DskHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\A276BEL\YugmaSkype\lib\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\A276BEL\YugmaSkype_NOJVM.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00EC0000.VBN Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00F40000.VBN Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01380000.VBN Suspicious: Exploit.HTML.CodeBaseExec 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\028C0000.VBN Infected: Trojan-Dropper.Win32.Delf.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\028C0001.VBN Infected: Trojan-Dropper.Win32.Delf.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C80000.VBN Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C80001.VBN Suspicious: Exploit.HTML.Mht 1
C:\PSKILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a 1

The selected area was scanned.

[amateur]

Hi,

You can search for GLB46.tmp using Windows search function and see if brings up anything. I don't believe it's present though.

The items reported by Kaspersky are all in the Quarantine folder of Norton. They must have been not removed when Norton was uninstalled. You can go ahead and delete the entire folder since you don't have Symantec/Norton anymore.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\

The files related to YugmaSkype are legitimate files used for conferencing.

How is the computer running other than being slow which is most likely due to low memory?

[jabberwockdb]

Hi Amateur,

Thanks for all your help! My computer is definitely much faster after making your changes and also disabling some unneeded services from starting up. I deleted the symantec folder and then searched the hard drive but couldn't find glb46.tmp

Does this mean my computer is clean now? Should I be running Panda Scan and Kaspersky Online Scanner on a regular basis? I'll be looking to add some memory too.

Thanks again!

[amateur]

Hi,

You're welcome. Extra memory will certainly make a difference. No harm in using an online scanner once a month or so.
Your logs are clean. You're good to go.

Create a new System Restore point to prevent reinfection from old restore points.

Go to Start>Run and type sysdm.cpl. Press Enter

• Select the System Restore Tab
• Place a check in "Turn off System Restore on all drives"
• Click Apply
• next, uncheck the same checkbox.
• Click Apply
• Click OK

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeup....aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

ATF Cleaner by Atribune is a useful utility to clean the temporary files and cookies on a regular basis.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here

If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!

[jabberwockdb]

Thanks! Thanks! Thanks!

My computer is back to it's optimal speed and I have peace of mind knowing that we've cleaned up any malware or virus!

If possible, I think the 5-step pre-post instructions should REALLY, REALLY emphasize that posts with more than 1 reply (whether a bump, a correction, or posting another log) will get overlooked by the volunteers. Cuz as I mentioned, after one has been waiting for more than 6-7 days, it is too easy to forget that fact. I've searched the forums and found that there are many many other posters who have posts that are still unanswered cuz they either bumped more than once or they added too many replies of their own.

Thanks again Amateur!

[amateur]

You're very welcome. Glad that we were able to help. Thanks for the heads up about the 5-step pre-post instructions. I'll relay the message to the Manager.

Stay safe!