Troj_rootkit.e virus

[DM1301]

Hello All,

I'm currently dealing with the Troj_rootkit.E virus. I'm running windows 2000 server with mirrored hard drives. I've tried running numerious antivirus programs like office scan, ewido, av-cls (trend and McAfee), cleanup, etc... I've also have gone in and deleted registry files trying to get rid of the "rdriv" files. I've also read a lot of threads on how to get rid of this virus but none of those solutions seem to work. I've included the hijack this file below. Any help would be appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:31 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
F:\INETPUB\MAILROOT\BIN\XMail.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://delta-server/officescan/Clien...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://delta-server/officescan/clien...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://delta-server/officescan/clientinstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://delta-server/officescan/clien...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124148141859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...n/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3143A686-7C06-4E13-9C0E-4C877CEDF40E}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{668CBD1E-5F8D-416C-87EE-4CE26954F542}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: SMTP Server (mssmtp) - Unknown owner - c:\Progra~1\Microsoft.NET\Common\Binn\smtpsrv.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: XMail Server (XMail) - Unknown owner - F:\INETPUB\MAILROOT\BIN\XMail.exe

[MicroBell]

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)



Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
*Unzip it to your desktop.
* Ewido Security Suite
*Install ewido security suite
*Launch ewido, there should be a big E icon on your desktop, double-click it.
*The program will prompt you to update click the OK button
*The program will now go to the main screen
*You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update
*Click on Start
*The update will start and a progress bar will show the updates being installed.
*After the updates are installed exit Ewido.

*Cleanup
Download and install it


* KillBox
Download and unzip the Killbox.exe to your desktop.


Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Mouse Button Monitor (mousebm)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows

Repeat that process for these other services...

Microsoft New Game 2 (svehost32)
TCP System Driver (tcpsys)

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen.

2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows:
*Click on scanner
*Make sure the following boxes are checked before scanning:
*Binder
*Crypter
*Archives
*Click on Start Scan
*Let the program scan the machine
While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK
*Once the scan has completed, there will be a button located on the bottom of the screen named Save report
*Click Save report
*Save the report to your desktop.

3.) Run Cleanup! by double-clicking the Cleanup! icon on your desktop.

4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing)


Close HiJackThis.

5.) Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. If your computer does not restart automatically, please restart it manually.

C:\WINNT\system32\mousebm.exe
C:\WINNT\svehost32.exe
C:\WINNT\system32\rsvterm.exe
C:\WINNT\system32\rdriv.sys

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run this online virus scan:
Panda ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

[DM1301]

First of all, thanks a lot. So far your instructions seem to have worked and the virus appears to be gone. I've been fighting this virus for about 2 days now and every time I thought I might have fixed it in safe mode it respawned itself when I booted up normally. If you see anything else out of the ordinary please let me know. Thanks again for your help. Below is the requested information. I know there's a virus in the mail server but I should be able to take care of that.


Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:36:26 AM, on 8/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
F:\INETPUB\MAILROOT\BIN\XMail.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://delta-server/officescan/Clien...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://delta-server/officescan/clien...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://delta-server/officescan/clientinstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://delta-server/officescan/clien...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124148141859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124376117171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...n/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3143A686-7C06-4E13-9C0E-4C877CEDF40E}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{668CBD1E-5F8D-416C-87EE-4CE26954F542}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SMTP Server (mssmtp) - Unknown owner - c:\Progra~1\Microsoft.NET\Common\Binn\smtpsrv.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: XMail Server (XMail) - Unknown owner - F:\INETPUB\MAILROOT\BIN\XMail.exe



Ewido Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:50:21 AM, 8/18/2005
+ Report-Checksum: 78E4B645

+ Scan result:

No infected objects found.


::Report End




Active Scan Report:

Incident Status Location

Virus:W32/Mimail.J.worm Disinfected F:\Inetpub\MailRoot\spool_\18\8\mess\1075419318342.1480.Gate[www.paypal.com.pif]

[MicroBell]

Question....

Are these part of your ISP and/or company network??

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltamicrowave.com

Those 4 entrys are tied together pointing to that site and it's IP

O17 - HKLM\System\CCS\Services\Tcpip\..\{3143A686-7C06-4E13-9C0E-4C877CEDF40E}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{668CBD1E-5F8D-416C-87EE-4CE26954F542}: NameServer = 207.178.128.20,207.178.128.21

These IP's come back as Internet Specialties West, Inc.

[DM1301]

Yes those entries are part of the company website which is hosted by Internet Specialties West, Inc. Just out of curiosity how did you know what files to delete or which files the virus was residing in???

[POADB]

Quote:

Originally Posted by DM1301

Yes those entries are part of the company website which is hosted by Internet Specialties West, Inc. Just out of curiosity how did you know what files to delete or which files the virus was residing in???

O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing) The different sections of HJT help us identify different infections. The 023's above, though they take a keen eye, identy the infection known to ana nalyst as rdriv.sys.

If you're interested in learning, why not join the TSF Academy? Details are in a sticky at the top of this forum.

[DM1301]

Thanks I appreciate the info. I'll look into the TSF academy.

[MicroBell]

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.


Reset hidden/system files and folders

Windows XP
===============

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 95/98/98SE
===============

• Open My Computer.
• Select the View
• Select the Folder Options option.
• Select the View tab. option.
• Select the Advance Advanced settings box option.
• Select the Hidden files folder.
• Deselect the Show all files option
• Click Apply to confirm.
• Click OK.

Create a new System Restore point

Windows XP
===============

• Click Start >> Run - type SYSDM.CPL & press Enter
• Select the System Restore Tab
• Tick on the checkbox - "Turn off System Restore on all drives"
• Click Apply
• Then untick the same checkbox & click OK
• This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

• Click the Start tab.
• Select the Settings option.
• Select the Control Panel option.
• Double Click the System icon Performance tab option.
• Select File System
• Select the Troubleshooting tab
• Check the Disable System Restore box
• Click Apply to confirm.
• Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

• Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

• Click the Start button.
• Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
• Choose Create a restore point, and then click Next.
• In the Restore point description box, type a name for your restore point, and then click Next.
  Click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• Tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Sygate Personal Firewall
• Kerio Personal Firewall
• OutPost Firewall

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

• Grisoft AVG Anti-Virus System
• Alwil Avast 4 Home Edition
• Softwin BitDefender Free Edition Version 7

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.

[DM1301]

Thanks for you help. I appreciate all the info.