win32/vundo.azw

[benhal9]

Hi gang. I need a little help. I managed to get trojaned and my anti virus found it. My anti virus is CA and it finds win32/vundo.azw in c:\WINDOWS\system32\wvULMcab.dll but can not remove it. I found that file but can not rename or remove it. so where do I go from here. I have run several vundo tools and none have worked. I have also run hjthis and gmer and have logs to post if needed. Some symptoms, I have access to internet but can not update anti virus or go to any legitimate anti virus site. If I run a google search, another search engine takes over. Also, the dreaded popups for ad ware spy ware anti virus and Maxim.com (that ones not so annoying). Thanx in advance!
Ben

[benhal9]

...bump it up... I didn't realize you got this much play. I found me deep, deep into archive almost! lol.

[ndmmxiaomayi]

Hi benhal9,

Step 1

Please download DDS from Tech Support Forum and save it to your desktop.

Double click on dds to run it.

When done, DDS.txt will open. Click Yes at the prompt. It will take another few minutes to scan. When done, Attach.txt will open. Please attach Attach.txt in your next reply by scrolling down and click on Manage Attachments.

An image is below for your reference:



Step 2

Please download gmer.zip from Gmer and save it to your desktop.

1. Right click on gmer.zip and select Extract All....
2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
3. Click on the Browse button. Click on Desktop. Then click OK.
4. Click Next. It will start extracting.
5. Once done, check (tick) the Show extracted files box and click Finish.
6. Double click on gmer.exe to run it.
7. Click on the Scan button.
8. When the scan is finished, click on Save ....
9. Copy and paste in Gmer.txt and click Save.
10. Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

1. DDS.txt
2. Attach.txt (attach it to this topic)
3. Gmer.txt

[benhal9]

as requested... files attached...

[ndmmxiaomayi]

Hi benhal9,

Step 1

1. Right click on CA Antivirus icon near the clock (a shield).
2. Click on CA Anti-Virus > Snooze Anti-Virus Protection.
3. When prompted, enter in 30 and click on Snooze.

Step 2

Please download Combofix from one of these locations:

Link 1
Link 2
Link 3

Save it to your desktop.

• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.
  
  
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Please post the Combofix log (C:\Combofix.txt) in your next reply.

[benhal9]

What an amazing program to watch in action. I thank you kindly. Attached its log. For the record I am sending this via my pc and not my wifes, so it appears to be working. I have been reading your other forums while I waited for responses and am finding this site a wealth of information!
Ben

[ndmmxiaomayi]

Hi benhal9,

If Ask Toolbar is still installed, please uninstall it via Add/Remove Programs in Control Panel.

Next... please disable CA Antivirus temporarily as per previous instructions.

Open Notepad and copy and paste the following in the Code box into Notepad:

Code:

File::
c:\program files\Uninstall Ask Toolbar.dll

Folder::
c:\program files\AskPBar

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Warning: The above script is just for benhal9. If you are not benhal9, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.



Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post the Combofix log.

[benhal9]

I don't have Ask toolbar. Do I still do this?

[ndmmxiaomayi]

You can skip the uninstalling of Ask Toolbar. Please proceed with the rest.

[benhal9]

And there it is...... forgot I even had that in there. It is amazing what comes attached to programs.

[ndmmxiaomayi]

Hi benhal9,

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
   
   
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

In your next reply, please post:

1. A new HijackThis log
2. Kaspersky scan report

[benhal9]

Done and done.

[benhal9]

...ooopsno att. hold on.

[benhal9]

For some reason my files arent getting through, so I will ct and paste them...sry...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:10 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe
C:\Program Files\Transform XP to Vista\Vista Start Menu\VistaStartMenu.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe
C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe
C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe
C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eveleth.mediacomtoday.com/community/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [YahooWidgetEngine.exe] "C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe"
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Transform XP to Vista\Vista Start Menu\VistaStartMenu.exe"
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\TERRY\EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\DOCUME~1\Ben\LOCALS~1\Temp\E_S7.tmp" /EF "HKCU"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1222776987765
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=23100
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5106/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://images.mmosite.com/photo/2007...227257K6tJ.jpg

--
End of file - 9327 bytes



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 18, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 17, 2008 20:48:48
Records in database: 1390341
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 125936
Threat name: 6
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:44:22


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\Uninstall Ask Toolbar.dll.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bpwcshxk.dll.vir Infected: Trojan.Win32.Monder.yis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bqhvlefo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.etv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cqfueafa.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gchhieqm.dll.vir Infected: Trojan.Win32.BHO.iaz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\imwvdr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.etv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kexjet.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ktatnt.dll.vir Infected: Trojan.Win32.Monder.yis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmshiwyv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\roksfbmq.dll.vir Infected: Trojan.Win32.Monder.yir 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\szmdvc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1

The selected area was scanned.

[ndmmxiaomayi]

Logs are looking good.

Any issues?

[benhal9]

Only issue I can see is that my pc sometimes is not booting properly, making me restart it up to 3 times before I get a proper boot. Other than that, my pc does and goes where I tell it to now.
Thank you so much
Ben

[ndmmxiaomayi]

Can I have more details?

Did Windows get stuck at certain stage of booting? Or something else happened?

When did you notice this problem?

[benhal9]

It started happening 2 months ago after I installed my new super hard drive, but before I got virused. It happens after the windows logo loading black screen and before the windows blueish screen. I shut off all non essential start up programs on boot up. Not sure what can be causing it.

[ndmmxiaomayi]

That appears to be a hardware problem.

You can get help from the Hard Drive Support forum here.

But before that, we need to remove the tools that we have downloaded.

Remove Combofix

Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.



Here are some tips to keep the computer clean.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

1. Winpatrol
   Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
   
   You can get a free copy of Winpatrol or use the Plus version for more features.
   
   You can read Winpatrol's FAQ if you run into problems.
   
   
2. Spyware Blaster
   SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.
   
   You can download SpywareBlaster from Javacool.
   
   If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
   
   
3. SpywareGuard
   Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.
   
   You can download SpywareGuard from Javacool.
   
   If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.
   
   
4. Hosts File
   A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.
   
   Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.
   
   Here are some Hosts files:
   
   MVPS Hosts File
   Bluetack's Hosts File
   Bluetack's Host Manager
   hpHosts
   
   
   A tutorial about Hosts File can be found at Malware Removal.
   
   Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.
   
   
5. SiteHound Toolbar
   SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

Here are some more things to read about:

List of clean and infected download managers
Securing Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
80 Super Security Tips

[benhal9]

You have been patient and helpful... I thank you. I will read in that forum as well.