Horrible Malware Infestation

~~George Quick~~ · 12-31-2005, 05:36 PM

On an impulse, I navigated to the following site:

edited out...

Whatever you do, don't go there !

By just navigating to the site, I got a whole bunch of crap installed on my computer, and it has taken me several days to get rid of most of it.

Although both Trendmicro and AVG have both pronounced me "clean", my settings are all bunged-up. I've turned off System Restore so I can clean out the malware, so that is not an option. And I have run 2 Repair Installs and for some reason there are still problems.

Mostly what is happening is that my (WinXP) desktop is "locked" into displaying the malware's "Warning" page (which told me about the "spyware" and how to get rid of it). I got rid of the HTML page that used to be there, but now my normal WinXP desktop is replaced by a blank whiteness (like what you would get if the HTML page was deleted).

And I haven't got the ability to change the Desktop like I used to. On boot, it "flashes" my usual image, then get's "over-ridden" by something else.

Also, Task Manager used to not work, even though it was enabled in the Registry (I checked). I downloaded a tool that "forces" it to function, but I think there is still malware interfering.

The computer doesn't seem to recognize that I am the Administrator, and won't let me install software.

Also (somehow) Google's ToolBar got installed (I didn't do it).
I have a list of the malware AVG found & put into Quarantine, if that will help.

I used to think I could handle myself, but this is really something else. ANy help would be appreciated.

Also, is there anything that can be "done" about this web-site (above) ? I just navigated there by accident, and I can't believe that other ISP's would stand for allowing there Users to risk running into that site. Is there a way for someone to try to get the thing shut-down, or blacklisted ?

Thanks in advance,

George.

greyknight17 · 12-31-2005, 10:37 PM

Try to do as many steps you can outlined here. We need a HijackThis log from you.

You can just add that site to your HOSTS file to "blacklist" it. Uninstall Google Toolbar if you don't want it.

...moved to HijackThis Forum...

~~George Quick~~ · 01-11-2006, 12:21 PM

Quote:

Logfile of HijackThis v1.97.3
Scan saved at 1:15:08 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\New Computer\Desktop\Scanners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136040864378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131293608180

After a lot of work, I think I've cleaned the infection out but getting some kind of confirmation would be nice.

The only "symptom" I can find is "msconfig" lists:

(MSCONFIG)>Services>SJJMOZTP (Manufacturer) "Unknown" (Status) "Stopped"

I am fairly certain that "SJJMOZTP" is a random name generated by the malware. I have scanned both the HD and the Registry for this text and cannot find it anywhere, nor can I figure out how to permanently remove it from being listed in MSCONFIG.

Any help appreciated, & Thanks in advance.

George

sUBs · 01-12-2006, 07:23 AM

You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:

HiJackThis_sfx.exe

1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

I require a new HJT log to be from this newer version

~~George Quick~~ · 01-12-2006, 09:15 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:12:15 AM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Download2\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136040864378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131293608180
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: SJJMOZTP - SiS Corporation - (no file)

sUBs · 01-12-2006, 09:28 AM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before we do anything else, please ensure that you have already patch your system against the recent WMF exploit. Please refer to my sig. No point we fix anything only for it to return tomorrow.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

Download & install CleanUp.exe (not recommended for WinXP64)

Download & extract it to it's own folder - smitRem.exe

Download and install (if possible) Ewido Security Suite

When installing, under "Additional Options",
- uncheck - Install background guard
Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido

If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.

* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *

Click Start -> Run - type SERVICES.MSC & then click on the OK button

Locate the service - SJJMOZTP
Double-click on it to open the Properties dialog.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
In the popup box that appears, copy/paste SJJMOZTP
Click on the OK button & answer No if prompted to reboot

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: SJJMOZTP - SiS Corporation - (no file)

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

msupdate32.dll

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

* * * *

Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.

* * * *

Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Prompt to update outdated definitions - set the number of days = 7
Click on the Scanning button on the left and select in green:
- Scan Within Archives
- Under Select drives & folders to scan:
  - choose all hard drives
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
Click on the Advanced button on the left and select in green:
- Move deleted files to recycle bin
- include addtional object information
- DeSelect - include negligible objects information
- Don't log streams smaller than 0 bytes
- Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak button:
1. Under Scanning Engine:
  - Unload recognized processes during scanning
  - Ignore spanned files when scanning cab archives
  - Scan registry for all users instead of current user only
2. Under Cleaning Engine:
  - Let Windows remove files in use at next reboot
3. Under Log Files:
  - Include basic Ad-aware SE settings in logfile
  - Include additional Ad-aware SE settings in logfile
  - Include computer & username in logfile
  - Please DeSelect: Include Module list in logfile

2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found

* * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

C:\Smitfiles.txt

Online Scan

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

~~George Quick~~ · 01-15-2006, 06:54 PM

Quote:

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Sorry. All my other threads get "Instant e-mail Notification". This one didn't I think due to the new "face lift".

Logs are attached (and also pasted below), except for Ewido (I can't find it anywhere). But it was clean.

Note the two Kaspersky hits. Didn't do anything with them, pending your instructions.

I assume the new "hit ctl+alt+del" interupt on Logon is from Ewido.

Also your instructions could be tweaked a bit by advising to install & update Ewido before going to Safe Mode. (I installed & ran during Safe Mode with no hits, and then re-ran the scan after updating with no hits either.)

I have Ad-Aware Pro, and it found only "negligible" entries.

Thanks for your help.

(Latest) HJT Log:

Quote:

Logfile of HijackThis v1.97.3
Scan saved at 1:15:08 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\New Computer\Desktop\Scanners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136040864378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131293608180

smitRem Log:

Quote:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 01/14/2006
The current time is: 21:28:51.71

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

SpySheriff

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'explorer.exe'
Killing PID 780 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

Kaspersky Log:

Quote:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 15, 2006 09:00:05
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/01/2006
Kaspersky Anti-Virus database records: 171628
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 35129
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 3708 sec

Infected Object Name - Virus Name
C:\!KillBox\sachostm.exe Infected: Trojan-Dropper.Win32.Agent.afj
C:\WINDOWS\system32\msvcrl.dll Infected: Trojan-Dropper.Win32.Agent.afj

Scan process completed.

sUBs · 01-16-2006, 07:25 AM

Quote:

Also your instructions could be tweaked a bit by advising to install & update Ewido before going to Safe Mode.

George,

English is not my mother tongue & I'm always grateful for any feedback as to how I may improve my instructions. However I re-read the the earlier instructions but could not find any implications for downloading/installing Ewido in Safe Mode. If you may be so kind, please point them out to me so that I may improve upon them.

There are some errors with your latest HJT log. I would require a fresh re-post. Please take note of the date & hijackthis's version. It should be self explainatory..

Quote:

Logfile of HijackThis v1.97.3
Scan saved at 1:15:08 PM, on 1/11/2006

For the moment, please locate & delete this file - C:\WINDOWS\system32\msvcrl.dll
If it resist deletion, please delete it from Safe Mode

~~George Quick~~ · 01-16-2006, 09:22 AM

Sorry, I posted the OLD HJT log. Here's the most recent (pasted below).

Also, I apologise about the criticism of your instructions.

Quote:

Download and install (if possible) Ewido Security Suite
When installing, under "Additional Options",
uncheck - Install background guard
Have Ewido update itself & then exit the program.

I only downloaded Ewido and didn't install it, and didn't realize it until I was already in Safe Mode. The "update" aspect was what concerned me, since I was already running the scan before I realized it should have been done first.

I guess I was looking for the directions to be presented as I would have written them. It's only a difference of "style", but I think constructing the wording as follows would be more clear:

"Download, Install and Update Ewido Security Suite."
The secondary points fall "more naturally" after these 3 main ideas, in my opinion.

Quote:

For the moment, please locate & delete this file - C:\WINDOWS\system32\msvcrl.dll
If it resist deletion, please delete it from Safe Mode

Found & Deleted.

This morning AVG found (and wiped) "C:\Windows\smss.exe". Note this is AFTER all the other malware-removal measures had been done.

Also, please note the 2 malware hits found by Kaspersky which are still undeleted, pending your instructions.

Thanks again for your help.

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:47 AM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Download2\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136040864378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131293608180
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

sUBs · 01-16-2006, 09:36 AM

Quote:

This morning AVG found (and wiped) "C:\Windows\smss.exe". Note this is AFTER all the other malware-removal measures had been done.

This may be a new infection trying to rear it's ugly head. The file you mentioned windows/smss.exe is often associated with the SpyAxe/Spysheriff infections. I believe it's new because Ewido/Kaspersky should have easily detected it. It probably came in after the Kaspersky scan. Have you patched yourself with KB912919 yet?

Quote:

please note the 2 malware hits found by Kaspersky which are still undeleted,

Quote:

C:\!KillBox\sachostm.exe Infected: Trojan-Dropper.Win32.Agent.afj
C:\WINDOWS\system32\msvcrl.dll Infected: Trojan-Dropper.Win32.Agent.afj

The !Killbox folder is where Killbox stores the backups of files it deletes. You may delete the entrire folder without worry. The other file, msvcrl.dll is the one you have just deleted.

Normally, I would have declared you clean but that smss.exe worries me a bit. I believe it warrants another scan.

Please perform another online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on see report. Then click Save report

Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

~~George Quick~~ · 01-16-2006, 09:56 AM

I just read your post. Came here to post again. Just noticed that (for some reason) Windows Messenger is now installed on my machine. (I thought I removed that over a year ago.)

I went to Control Panel>Add/Remove Programs and found that it is (according to Windows) not installed on my system.

??

I don't know if this is another indication of malware activity or not.

You instructions are to run a "Panda" scan, even though I have already installed and run a Kaspersky on-line scan. I assume this is intentional, and not oversite. Will report back after Panda does it's thing.

Thanks again.

George

sUBs · 01-16-2006, 10:15 AM

For some strange reasons, some of your Windows settings have changed. The "ctl+alt+del" logon is not Ewido's doing.

You may restore it by going to Start > Run - type nusrmgr.cpl
Select change the way users log on/off & choose to use the Welcome screen.

Windows Messengers may be disabled by doing this..
Start > Run - type cmd /k sc config messenger start= disabled

~~George Quick~~ · 01-16-2006, 11:16 AM

Quote:

For some strange reasons, some of your Windows settings have changed. The "ctl+alt+del" logon is not Ewido's doing.

Is this System Restore doing it's thing ? Should I have turned this off at the begginning of the process ?

Quote:

You may restore it by going to Start > Run - type nusrmgr.cpl
Select change the way users log on/off & choose to use the Welcome screen.

Windows message: "Client Services for NetWare has disabled Fast Switching and the Welcome Screen..." (etc...)

How do I Uninstall Client Services for Netware, and how did it get installed in the first place ? (I have never done anything with this before.)

Quote:

Windows Messengers may be disabled by doing this..
Start > Run - type cmd /k sc config messenger start= disabled

This seemed to have worked successfully, but I would rather uninstall it completely. Is this possible ?

Thanks again for your help.

George

Results of Panda Scan:

Quote:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\George\Cookies\George@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\George\Cookies\George@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\George\Cookies\George@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\George\Cookies\George@apmebf[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\George\Cookies\George@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\George\Cookies\George@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\George\Cookies\George@c5.zedo[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\George\Cookies\George@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\George\Cookies\George@club.cdfreaks[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\George\Cookies\George@com[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\George\Cookies\George@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\George\Cookies\George@doubleclick[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\George\Cookies\George@hotlog[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\George\Cookies\George@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\George\Cookies\George@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\George\Cookies\George@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\George\Cookies\George@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\George\Cookies\George@server.iad.liveperson[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\George\Cookies\George@spylog[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\George\Cookies\George@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\George\Cookies\George@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\George\Cookies\George@www.myaffiliateprogram[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\George\Cookies\George@yadro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\George\Cookies\George@zedo[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\George\Cookies\George@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\George\Cookies\George@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\George\Cookies\George@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\George\Cookies\George@apmebf[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\George\Cookies\George@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\George\Cookies\George@atdmt[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\George\Cookies\George@c5.zedo[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\George\Cookies\George@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\George\Cookies\George@club.cdfreaks[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\George\Cookies\George@com[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\George\Cookies\George@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\George\Cookies\George@doubleclick[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\George\Cookies\George@hotlog[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\George\Cookies\George@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\George\Cookies\George@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\George\Cookies\George@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\George\Cookies\George@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\George\Cookies\George@server.iad.liveperson[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\George\Cookies\George@spylog[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\George\Cookies\George@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\George\Cookies\George@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\George\Cookies\George@www.myaffiliateprogram[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\George\Cookies\George@yadro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\George\Cookies\bill@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Download2\smitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Download2\smitRem\smitRem.exe[Process.exe]
Spyware:Cookie/Humanclick Not disinfected C:\RECYCLER\NPROTECT\00035542.TXT
Spyware:Cookie/Zedo Not disinfected C:\RECYCLER\NPROTECT\00035562.TXT
Spyware:Cookie/Humanclick Not disinfected C:\RECYCLER\NPROTECT\00035584.TXT
Spyware:Cookie/Zedo Not disinfected C:\RECYCLER\NPROTECT\00035604.TXT

sUBs · 01-16-2006, 11:26 AM

Microsoft has explicit instructions for uninstalling Client Service for Netware

Click here for How to Remove Windows Messenger on Windows XP

~~George Quick~~ · 01-16-2006, 06:51 PM

Okay, disabled Windows Messenger successfully.

Uninstalled Novell Netware per the instructions from the link provided, and checked LAN>Properties and it has not come back, however I still have to press ctl+alt+del in order to logon.

Never had to do this before, and since you say this is not Ewido could it be System Restore ?

Other than that things seem okay.

How do I get rid of this ctl+alt+del interupt ?

Thanks again for your help,

George

sUBs · 01-16-2006, 10:33 PM

welcomescreen.reg - Right click on this & choose "Save As..." welcomescreen.reg.
Then double click on it & allow it to merge into the registry.

If that fails, download & run this - ginadll.vbs

~~George Quick~~ · 01-16-2006, 11:08 PM

Okay the registry entry executable did the trick. Thanks a lot for that. I can mod the Reg when necessary, but never felt comfortable doing it. Pushing a button is much better.

Am I done ?

Do you have any explanation for any of these symptoms ? Messenger, Novell Netware for Clients & the ctl +alt+del interupt ?

Do they have anything in common ?

The only thing I can think of is System Restore.

Also I have a LOT of $NTuninstall files. Can I get rid of these ? If so, how ?

Thanks again for your help,

George

sUBs · 01-16-2006, 11:18 PM

Have you performed a System Restore recently? If not, I dont think they're related to System Restore.

Please post a fresh HJT log

~~George Quick~~ · 01-17-2006, 08:18 AM

No I haven't performed a System Restore, recently or ever. But I am wondering if XP is doing it automatically.

Thanks again for your help,

George

New HJT Log:

Quote:

Scan saved at 9:16:50 AM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download2\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136040864378
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131293608180
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

sUBs · 01-17-2006, 08:24 AM

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

12-31-2005, 05:36 PM	#1 (permalink)
~~George Quick~~ Register user Join Date: Nov 2005 Posts: 194 OS: Win2000 Pro	Horrible Malware Infestation On an impulse, I navigated to the following site: edited out... Whatever you do, don't go there ! By just navigating to the site, I got a whole bunch of crap installed on my computer, and it has taken me several days to get rid of most of it. Although both Trendmicro and AVG have both pronounced me "clean", my settings are all bunged-up. I've turned off System Restore so I can clean out the malware, so that is not an option. And I have run 2 Repair Installs and for some reason there are still problems. Mostly what is happening is that my (WinXP) desktop is "locked" into displaying the malware's "Warning" page (which told me about the "spyware" and how to get rid of it). I got rid of the HTML page that used to be there, but now my normal WinXP desktop is replaced by a blank whiteness (like what you would get if the HTML page was deleted). And I haven't got the ability to change the Desktop like I used to. On boot, it "flashes" my usual image, then get's "over-ridden" by something else. Also, Task Manager used to not work, even though it was enabled in the Registry (I checked). I downloaded a tool that "forces" it to function, but I think there is still malware interfering. The computer doesn't seem to recognize that I am the Administrator, and won't let me install software. Also (somehow) Google's ToolBar got installed (I didn't do it). I have a list of the malware AVG found & put into Quarantine, if that will help. I used to think I could handle myself, but this is really something else. ANy help would be appreciated. Also, is there anything that can be "done" about this web-site (above) ? I just navigated there by accident, and I can't believe that other ISP's would stand for allowing there Users to risk running into that site. Is there a way for someone to try to get the thing shut-down, or blacklisted ? Thanks in advance, George. Last edited by greyknight17; 12-31-2005 at 10:36 PM. Reason: Edited out crack site...

12-31-2005, 10:37 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Try to do as many steps you can outlined here. We need a HijackThis log from you. You can just add that site to your HOSTS file to "blacklist" it. Uninstall Google Toolbar if you don't want it. ...moved to HijackThis Forum... __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-12-2006, 07:23 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	You are using an outdated version of HiJackThis. Please click on the link below to download the latest version: HiJackThis_sfx.exe 1. Delete your current HiJackThis.exe file 2. Double-click on the file you just downloaded. 3. Click on the "Unzip" button to install the newer version. 4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ I require a new HJT log to be from this newer version __________________ Question - what have you done for the community today?

01-12-2006, 09:15 AM	#5 (permalink)
~~George Quick~~ Register user Join Date: Nov 2005 Posts: 194 OS: Win2000 Pro	New HJT Log Logfile of HijackThis v1.99.1 Scan saved at 10:12:15 AM, on 1/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\outlook express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Download2\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136040864378 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131293608180 O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\ O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: SJJMOZTP - SiS Corporation - (no file)

01-12-2006, 09:28 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. Before we do anything else, please ensure that you have already patch your system against the recent WMF exploit. Please refer to my sig. No point we fix anything only for it to return tomorrow. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Download & install CleanUp.exe (not recommended for WinXP64) Download & extract it to it's own folder - smitRem.exe Download and install (if possible) Ewido Security Suite When installing, under "Additional Options", uncheck - Install background guard Have Ewido update itself & then exit the program. If you are having problems with the updater, you can use this link to manually update Ewido If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding. It is IMPORTANT that you don't miss a step & perform everything in the correct order. * * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * * Click Start -> Run - type SERVICES.MSC & then click on the OK button Locate the service - SJJMOZTP Double-click on it to open the Properties dialog. - Stop the service by using the Stop button. - Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service In the popup box that appears, copy/paste SJJMOZTP Click on the OK button & answer No if prompted to reboot * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\ O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing) O23 - Service: SJJMOZTP - SiS Corporation - (no file) * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) msupdate32.dll * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! will not create any backups!! * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. * * * * Next go to Control Panel click Display>Desktop>Customize Desktop>Website Under the 'Web pages' box, Uncheck everything present. * * * * Open Ad-aware and close ALL other windows. 1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window: In the General window make sure the following are selected in green: Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Prompt to update outdated definitions - set the number of days = 7 Click on the Scanning button on the left and select in green: Scan Within Archives Under Select drives & folders to scan: choose all hard drives Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL’s Scan my Hosts file Click on the Advanced button on the left and select in green: Move deleted files to recycle bin include addtional object information DeSelect - include negligible objects information Don't log streams smaller than 0 bytes Don't log ADS with the following names: CA_INOCULATEIT Click the Tweak button: Under Scanning Engine: Unload recognized processes during scanning Ignore spanned files when scanning cab archives Scan registry for all users instead of current user only Under Cleaning Engine: Let Windows remove files in use at next reboot Under Log Files: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Include computer & username in logfile Please DeSelect: Include Module list in logfile 2. Click on Proceed to save the settings. 3. Click Start 4. Choose - Perform Full System Scan 5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. 6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window 8. Right-click on the list and choose Select All 9. Click Next to finish removing the items that were found * * * * * Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis log C:\Smitfiles.txt Online Scan Ewido Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 01-12-2006 at 09:30 AM.

01-16-2006, 09:56 AM	#11 (permalink)
~~George Quick~~ Register user Join Date: Nov 2005 Posts: 194 OS: Win2000 Pro	Another Update I just read your post. Came here to post again. Just noticed that (for some reason) Windows Messenger is now installed on my machine. (I thought I removed that over a year ago.) I went to Control Panel>Add/Remove Programs and found that it is (according to Windows) not installed on my system. ?? I don't know if this is another indication of malware activity or not. You instructions are to run a "Panda" scan, even though I have already installed and run a Kaspersky on-line scan. I assume this is intentional, and not oversite. Will report back after Panda does it's thing. Thanks again. George

01-16-2006, 10:15 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	For some strange reasons, some of your Windows settings have changed. The "ctl+alt+del" logon is not Ewido's doing. You may restore it by going to Start > Run - type nusrmgr.cpl Select change the way users log on/off & choose to use the Welcome screen. Windows Messengers may be disabled by doing this.. Start > Run - type cmd /k sc config messenger start= disabled __________________ Question - what have you done for the community today?

01-16-2006, 11:26 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Microsoft has explicit instructions for uninstalling Client Service for Netware Click here for How to Remove Windows Messenger on Windows XP __________________ Question - what have you done for the community today?

01-16-2006, 06:51 PM	#15 (permalink)
~~George Quick~~ Register user Join Date: Nov 2005 Posts: 194 OS: Win2000 Pro	Another Update Okay, disabled Windows Messenger successfully. Uninstalled Novell Netware per the instructions from the link provided, and checked LAN>Properties and it has not come back, however I still have to press ctl+alt+del in order to logon. Never had to do this before, and since you say this is not Ewido could it be System Restore ? Other than that things seem okay. How do I get rid of this ctl+alt+del interupt ? Thanks again for your help, George

01-16-2006, 10:33 PM	#16 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	welcomescreen.reg - Right click on this & choose "Save As..." welcomescreen.reg. Then double click on it & allow it to merge into the registry. If that fails, download & run this - ginadll.vbs __________________ Question - what have you done for the community today?

01-16-2006, 11:08 PM	#17 (permalink)
~~George Quick~~ Register user Join Date: Nov 2005 Posts: 194 OS: Win2000 Pro	Final Update ? Okay the registry entry executable did the trick. Thanks a lot for that. I can mod the Reg when necessary, but never felt comfortable doing it. Pushing a button is much better. Am I done ? Do you have any explanation for any of these symptoms ? Messenger, Novell Netware for Clients & the ctl +alt+del interupt ? Do they have anything in common ? The only thing I can think of is System Restore. Also I have a LOT of $NTuninstall files. Can I get rid of these ? If so, how ? Thanks again for your help, George

01-16-2006, 11:18 PM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Have you performed a System Restore recently? If not, I dont think they're related to System Restore. Please post a fresh HJT log __________________ Question - what have you done for the community today?

01-17-2006, 08:24 AM	#20 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?