# Solved: core.cache.dsk infection



## jospeh- (Jul 10, 2007)

ive read some of the posts with the same infection and got the combofix when i run i it tell me it cannot find regedit.exe my regedit is workin fine though


----------



## jospeh- (Jul 10, 2007)

adding a few thing im also runnin zone alarm soybots&d which found the infected files and ad aware


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-*.

Welcome to TSG.








*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## jospeh- (Jul 10, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:33 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - (no file)
O2 - BHO: (no name) - {343D12F3-D56B-FDBC-4F12-898DBD2684BD} - C:\WINDOWS\system32\jqfykaq.dll
O2 - BHO: (no name) - {506BD552-EA5C-4197-A9A7-1F38E7AE528C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {93b5e2b6-36f0-4416-8973-1b71a1f7bd8a} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\Software\..\Telephony: DomainName = idolmind
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
O20 - Winlogon Notify: opnnoom - opnnoom.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4407 bytes


----------



## jospeh- (Jul 10, 2007)

i might as well mention ive had and ran avg it wasnt picking anything up ive pretty much gotten it down this far and i was still gettin popups on my firefox so i started searchin for stuff and found spybot which found these issues.


----------



## JSntgRvr (Jul 1, 2003)

Hi,* jospeh-* 

Lets try those programs again and post their reports or error messages:








Your *Java* seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*: 

Download the latest version of * Java Runtime Environment (JRE) 6u2*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please download *VundoFix.exe* to your desktop.

*Note*:* In the event you already have Vundofix, this is a new version that I need you to download*.
Double-click *VundoFix.exe* to run it.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* in your next reply.
*Note:* It is possible that *VundoFix* encountered a file it could not remove. In this case, *VundoFix* will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo *button" when VundoFix appears at reboot.

Download ComboFix from *Here* or *Here* to your Desktop.

*Note*:* In the event you already have Combofix, this is a new version that I need you to download*.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

Download *Superantispyware (SAS)*

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click *Yes*.
Under *Configuration and Preferences*, click the *Preferences* button.
Click the *Scanning Control *tab.
Under *Scanner Options *make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

On the main screen, under *Scan for Harmful Software *click *Scan your computer*.
On the left check *C:\Fixed Drive*.
On the right, under *Complete Scan*, choose *Perform Complete Scan*.
Click *Next* to start the scan. *Please be patient while it scans your computer*.
After the scan is complete a summary box will appear. Click *OK*.
Make sure everything in the white box has a check next to it, then click *Next*.
It will quarantine what it found and if it asks if you want to reboot, click *Yes*.
To retrieve the removal information, please do the following:
After reboot, double-click the *SUPERAntispyware* icon on your desktop.
Click Preferences. Click the Statistics/Logs tab.
Under Scanner Logs, double-click *SUPERAntiSpyware* Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.

Click close and close again to exit the program.
Please paste that information in your next reply along with a fresh *HijackThis log*.


----------



## jospeh- (Jul 10, 2007)

it wont allow me to uninstall it i got an error. Error1316.A netowrk error occured while attempting to read from the file C:\WINDOWS\Installer\Java 2 Runtime Enviroment, SE v1.4.2.msi


----------



## JSntgRvr (Jul 1, 2003)

Ok, work on the rest.


----------



## jospeh- (Jul 10, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/10/2007 at 06:57 PM

Application Version : 3.9.1008

Core Rules Database Version : 3267
Trace Rules Database Version: 1278

Scan type : Complete Scan
Total Scan Time : 00:22:46

Memory items scanned : 377
Memory threats detected : 0
Registry items scanned : 4579
Registry threats detected : 8
File items scanned : 24258
File threats detected : 9

Adware.ClickSpring/Resident
HKLM\Software\Classes\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}
HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}
HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\InprocServer32
HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\InprocServer32#ThreadingModel
HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\Programmable
HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\TypeLib
C:\WINDOWS\SYSTEM32\JQFYKAQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{DC192567-65F9-4AB6-ADB7-E13575F81726}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
C:\WINDOWS\system32\drivers\FOPN.sys

Trojan.Downloader-ClickSpring/NDrv
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP461\A0300306.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP461\A0300309.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP464\A0307485.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP464\A0307489.EXE

Trojan.Rootkit-TnCore
C:\WINDOWS\SYSTEM32\DRIVERS\CORE.SYS


----------



## JSntgRvr (Jul 1, 2003)

Now that the rootkit *Core* was taken care by *SuperAntispyware*, can you run *Combofix*?


----------



## jospeh- (Jul 10, 2007)

after running superanti spyware i posted that log and then it asked to reboot so i did but with all the other problems ive been having my pc doesnt want to shut down on its own mostly all of the time its rebooted maybe twice on its own i usually have to hold the button because it will just hang on the windows is shutting down window so i had to do it then when i turned it back on it loaded normaly, gateway splash screen and restore screen it then flashed a blue screen i couldnt tell you what it said but then it went to windows didnt open properly so i tried it agian to open normally it failled agian with the same blue screen flash at which point i had to open windows by the last good config spybot s&d ran at start up and picked up smithfraud or whatever it is after that scan the superantispy popped open a windows and said the console window was corrupt it is working though, im scanning agian right now


----------



## jospeh- (Jul 10, 2007)

can you post the link for it please Combo fix


----------



## JSntgRvr (Jul 1, 2003)

Download ComboFix from *Here* or *Here* to your Desktop.

*Note*:* In the event you already have Combofix, this is a new version that I need you to download*.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## jospeh- (Jul 10, 2007)

ive got anouther adware on this scan adware.clickspring/resident what would you recommend if i have to reboot it agian?


----------



## jospeh- (Jul 10, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/10/2007 at 07:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3267
Trace Rules Database Version: 1278

Scan type : Complete Scan
Total Scan Time : 00:23:56

Memory items scanned : 301
Memory threats detected : 0
Registry items scanned : 4778
Registry threats detected : 0
File items scanned : 24246
File threats detected : 1

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP468\A0313417.DLL


----------



## jospeh- (Jul 10, 2007)

yeah askin for a reboot guess not much i can do but the same process.


----------



## jospeh- (Jul 10, 2007)

combofix is still sayin regedit.exe is missing and still the same reboot problems.


----------



## jospeh- (Jul 10, 2007)

it is working though


----------



## JSntgRvr (Jul 1, 2003)

Download and run the enclosed batch file and post its report.


----------



## jospeh- (Jul 10, 2007)

"C:\WINDOWS\regedit.exe" 146432 08/10/2004 02:00 PM 
"C:\WINDOWS\Help\regedit.chm" 46684 08/10/2004 02:00 PM 
"C:\WINDOWS\Help\regedit.hlp" 12886 08/10/2004 02:00 PM 
"C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf" 13744 07/10/2007 08:02 PM 
"C:\WINDOWS\system32\chcp.com" 7680 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\command.com" 50620 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\diskcomp.com" 9216 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\diskcopy.com" 7168 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\edit.com" 69886 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\format.com" 25600 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\graftabl.com" 26112 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\graphics.com" 19694 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\kb16.com" 14710 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\loadfix.com" 1131 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\mode.com" 19456 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\more.com" 15872 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\tree.com" 11264 08/10/2004 02:00 PM 
"C:\WINDOWS\system32\win.com" 18432 08/10/2004 02:00 PM 
"C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775" 0 10/13/2006 09:09 PM


----------



## JSntgRvr (Jul 1, 2003)

> Adware.ClickSpring/Resident
> C:\SYSTEM VOLUME
> INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP468\A0313417.DLL


This is located in the *System Restore*. We will take care of that once the computer is clean.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

Lets take a deeper look:

Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *Non Microsoft *
In the *Win32 Services * group click *Non Microsoft*
In the *Driver Services * group click *Non Microsoft*
In the *Registry* group click *Non Microsoft *
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## jospeh- (Jul 10, 2007)

winpfind3 report


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

We are almost there. Just need to check the computer's environment path.

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> opnnoom -> opnnoom.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {506BD552-EA5C-4197-A9A7-1F38E7AE528C} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Value does not exist [Reg Data - Value does not exist]
YN -> {93b5e2b6-36f0-4416-8973-1b71a1f7bd8a} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist]
YN -> {FB5F1910-F110-11d2-BB9E-00C04F795683} -> Reg Data - Value does not exist [ButtonText: Messenger]
YN -> CmdMapping [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist]
[Files/Folders - Created Within 60 days]
NY -> F?nts -> %System32%\F?nts
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new Hijackthis log.

Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:

Scroll down and click the [Manage Attachments] button
Browse to the following folder:
C:\Deckard\System Scanner

Click Upload to upload these files one by one
Submit your reply
*


----------



## jospeh- (Jul 10, 2007)

[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnnoom deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{506BD552-EA5C-4197-A9A7-1F38E7AE528C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93b5e2b6-36f0-4416-8973-1b71a1f7bd8a} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping deleted successfully.
[Files/Folders - Created Within 60 days]
File C:\WINDOWS\SYSTEM32\F?nts not found!
< End of log >
Created on 07/10/2007 20:45:03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:30 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\Software\..\Telephony: DomainName = idolmind
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = idolmind
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3719 bytes


----------



## jospeh- (Jul 10, 2007)

dss scan results


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

Just two more folders to remove:

*C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\WINDOWS\system32\F?nts*

The first one can be moved with OTMoveit:


 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
*If able, copy everything on the Results window to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it on a note pad document. Save it on the desktop and post its contents in your next reply.

Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

The second one (part of the PurityScan infection), is more difficult to remove.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this *folder*:

*C:\WINDOWS\system32\F?nts* ->Note the "?" symbol. That could be any letter or number, or the symbol itself. If having doubts, let me know any similar folders within the System32 folder before you delete anything..

Keep me posted.


----------



## jospeh- (Jul 10, 2007)

can you repost link didnt show up


----------



## JSntgRvr (Jul 1, 2003)

OTMoveit?

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.


----------



## jospeh- (Jul 10, 2007)

i didnt get the results sorry but it did get them and the system32 folder was indeed just Fonts which we got too


----------



## jospeh- (Jul 10, 2007)

im still rather concerned about the reboot problem it never did this until this issue or until i installed zone alarm any ideas?


----------



## jospeh- (Jul 10, 2007)

Folder move failed. C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr scheduled to be moved on reboot.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data moved successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007 moved successfully.
File/Folder C:\WINDOWS\system32\F?nts not found.

Created on 07/10/2007 21:30:11


----------



## JSntgRvr (Jul 1, 2003)

jospeh- said:


> im still rather concerned about the reboot problem it never did this until this issue or until i installed zone alarm any ideas?


Alright, the system seems now clean, although I still have doubts about the F?nts folder. PurityScan, however is disabled, thus no problems should arise.

You are mentioning a *restart issue*. Can you expand on that?


----------



## jospeh- (Jul 10, 2007)

yeah sure well this issue occurred out of the blue i wasnt browsing or anything at the time it seemed i was singled out somehow but it started with that winanitspyware 2007 window while i was watchin streams on winamp which i usually do but that window popped up and thats when it all started so i got zone alrm and scanned and it found 36 viruses and cleaned quarintined and rebooted but it didnt reboot it will go to saving your settings... and sit there for a minute and it will then go to windows is shutting down... and it will just hang right there or until i manually hold the button to shut it off.


----------



## jospeh- (Jul 10, 2007)

when it is shutting down though there is a window like an end task window but it has the zone alarm icon on it and it loads the progress bar and then goes to the saving your setting and the windows is shuting down it just hangs from there.


----------



## jospeh- (Jul 10, 2007)

it has never done this in the past before this issue occurred or like i said once zone alarm was installed and now i rather paranoid about removing zone alarm because i am a gamer and it uses alot of resources and way to many processes in any other circumstance i would have deleted it long ago lol


----------



## JSntgRvr (Jul 1, 2003)

jospeh- said:


> when it is shutting down though there is a window like an end task window but it has the zone alarm icon on it and it loads the progress bar and then goes to the saving your setting and the windows is shuting down it just hangs from there.


Remove *Zone Alarm* and test.


----------



## jospeh- (Jul 10, 2007)

ah and i keep gettin firewall http alerts from the same ip ive traced the ip it comes back to www.wowway.com or one of their users so i havent really wanted to uninstall zone alarm at this time =p


----------



## jospeh- (Jul 10, 2007)

zone alarm has been running for 2 days now since 4 o clock yesterday and i have 397 intrusion attempts and 44 of them are high rated 406 firewall attamepts 40 viruses and 29 spies treated. http://images.techguy.org/icon/icon13.gif
Thumbs down


----------



## jospeh- (Jul 10, 2007)

plus the what 12 or so trojans and adware we found here


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

You need more protection, such as an Antivirus. Antivirus programs play an important role in the protection of your system. Here are some options:

*Free Protection*:

*AVG FREE*
*AVIRA*
*AVAST*
*Activevirusshield*

*Shareware:*

*Node32*

*Reccomendation:*
->* Node32*

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Once you have tighten your security , it may be possible to replace *Zone Alarm* with a program less agressive.


----------



## jospeh- (Jul 10, 2007)

True what is the best free solution though? im more worried about a firewall at this point that seems to be the attack point i have no idea other then at this time or until i read that link.
Beyond that i have to say i appreciate your time and patience in this matter, Great help Great attitude. Thank you alot JSntgRvr. =D


----------



## jospeh- (Jul 10, 2007)

3.) Avoid questionable web sites!


* Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites.

This may have been the issue earlier in the day i was chatting on mirc and this girl was posting jokes she was getting from site and i was clicking them.


----------



## jospeh- (Jul 10, 2007)

Real funny huh. worst joke ever. =p


----------



## jospeh- (Jul 10, 2007)

had some windows updates today all installed normally once they were all installed it of course calls for a reboot and i clicked the button to restart and it would not respond when clicked so another update box popped up saying it wasnt complete and needs to be restarted so i clicked on it and tried to reboot from there again still wouldnt respond so i went to the start menu and tried it from there and it will not reboot from the start menu either or the task manager.


----------



## jospeh- (Jul 10, 2007)

well after that glitch ive tried rebooting now a few times i dont know what caused it but it is rebooting on its own now its a little slower then it used to be but all seems fine.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

It could have been due to the same reason, *Zone Alarm*. 

Tighten-up your security.
Download the Zone Alarm installer and save it to your desktop
Get Offline (disconnect from the modem), 
Remove Zone Alarm and test.
If there is no change, you can always reinstall from the installer on your desktop.


----------



## jospeh- (Jul 10, 2007)

Thank you JSntgRvr youve been alot of help i will test it once i feel some of these attacks have slowed im still gettin alot of connection attempts but i think you can mark this one as solved you are a Great asset to this forum =]


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-*. 

It is very unusual that a computer be under attack, unless there is a transponder in the system.

Download CWShredder *here* to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder








Please download *ATF Cleaner* by Atribune.
*This program is for XP and Windows 2000 only*

Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.








Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.
_This is a 30 day trial of the program_
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

*Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.*

*Boot into Safe Mode:*

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:

Run the *CWShredder*. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Close the Shredder.



*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
*Once the scan is complete do the following:*
If you have any infections you will prompted, then select "*Apply all actions*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware .
*Restart back into Windows normally now*.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location.
*Post a fresh Hijackthis log along with the AVG Anti-spyware and ActiveScan reports.*


----------



## jospeh- (Jul 10, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:29 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\Software\..\Telephony: DomainName = idolmind
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = idolmind
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3693 bytes


----------



## JSntgRvr (Jul 1, 2003)

Any findings on the above?


----------



## jospeh- (Jul 10, 2007)

nope looking clear on the viruses. If i posted these firewall logs could you make any sense of them?


----------



## JSntgRvr (Jul 1, 2003)

jospeh- said:


> nope looking clear on the viruses. If i posted these firewall logs could you make any sense of them?


Lets give it a try!


----------



## jospeh- (Jul 10, 2007)

here are the three logs in question


----------



## jospeh- (Jul 10, 2007)

my cable company is sigecom, but i called the wideopenwest company and they are a part of sigecom they took the ip address in question and i havent seen any connection attempts from any of their hosts since.


----------



## jospeh- (Jul 10, 2007)

well i just got another connection attempt from the same wideopenwest host after a night of nothing in my opinion even if they are part of sigecom i should only be receiving connections from dns1.sigecom.com this is why i hate firewalls you can see every little connection and have no idea why


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

I see no malware attacks in those logs/

*Please print these instructions for reference, as you will have to restart your computer during the fix.*

Please download FixWareout from *Here* or *Here*.

*Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.*

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.
Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

*O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\Software\..\Telephony: DomainName = idolmind
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = idolmind*

Click *FIX CHECKED*. Close HijackThis.

Enter your *Control Panel *and double-click on *Network Connections*
Then right click on your *Default Connection*
Usually Local Area Connection for Cable and DSL, or AOL Connection.

Left click on *Properties*
Double-Click on the *Internet Protocol (TCP/IP*) item
Select the radio dial that says *Obtain DNS Servers Automatically*
Press OK twice to get out of the properties screen
Restart the computer
Go to *Start*->*Run*->Type *CMD* and click *Ok*. The *MSDOS* Window will be displayed. At the command prompt, type the following and press *Enter* after each line:

*ipconfig /flushdns* (The space between g and / is needed)
*Exit*

Restart the computer.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\*report.txt* ), along with a new HijackThis log into this topic.


----------



## jospeh- (Jul 10, 2007)

Username "Administrator" - 07/13/2007 15:49:19 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

»»»»» Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "System"="" 
....
....
»»»»» Misc files. 
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"nwiz"="nwiz.exe /install"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"SigmatelSysTrayApp"="sttray.exe"
"IntelAudioStudio"="\"C:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe\" BOOT"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


----------



## jospeh- (Jul 10, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:34 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\Software\..\Telephony: DomainName = idolmind
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = idolmind
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4069 bytes


----------



## jospeh- (Jul 10, 2007)

when doing the above you asked me to go into the network connections on my start menu i have a slot above my network connection that wasnt there before it just says empty but when i click on my network connections there is nothing in there. it doesnt show my connection anymore.


----------



## JSntgRvr (Jul 1, 2003)

jospeh- said:


> when doing the above you asked me to go into the network connections on my start menu i have a slot above my network connection that wasnt there before it just says empty but when i click on my network connections there is nothing in there. it doesnt show my connection anymore.


Probably the network libraries are not properly registered. Download and run the enclosed file. It will register the following libraries:

*netshell.dll
netcfgx.dll
netman.dll*

Restart the computer and check your Network Conections.


----------



## JSntgRvr (Jul 1, 2003)

Download *WinPFind3U.exe * once again to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
This time In the *Processes* group click *All*
In the *Win32 Services * group click *All*
In the *Driver Services * group click *All*
In the *Registry* group click *All*
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *All*
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*

If still the file is too big to attach, divide the report in two (2) and attempt to attach them.


----------



## jospeh- (Jul 10, 2007)

winpfind text document


----------



## jospeh- (Jul 10, 2007)

network connection is still missing though


----------



## jospeh- (Jul 10, 2007)

yeah rebooted a second time after that scan it is still missing


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Processes - All]
YY -> pnkbstra.exe -> %System32%\PnkBstrA.exe
[Win32 Services - All]
YY -> (PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] -> %System32%\PnkBstrA.exe
YY -> (PnkBstrB) PnkBstrB [Win32_Own | On_Demand | Stopped] -> %System32%\PnkBstrB.exe
[Driver Services - All]
YY -> (PnkBstrK) PnkBstrK [Kernel | On_Demand | Stopped] -> %System32%\drivers\PnkBstrK.sys
[Registry - All]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> SigmatelSysTrayApp -> sttray.exe
[Registry - Additional Scans - All]
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Gateway Extended Warranty -> Reg Data - Value does not exist
YN -> HostManager -> Reg Data - Value does not exist
YY -> ShowWnd -> %SystemRoot%\ShowWnd.exe
[Files/Folders - Created Within 60 days]
NY -> ntdtcsetup.log -> %SystemRoot%\ntdtcsetup.log
NY -> PnkBstrA.exe -> %System32%\PnkBstrA.exe
NY -> PnkBstrB.exe -> %System32%\PnkBstrB.exe
NY -> PnkBstrK.sys -> %System32%\drivers\PnkBstrK.sys
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately *(the Hijackthis can be pasted on the reply).

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## jospeh- (Jul 10, 2007)

Explorer killed successfully
[Processes - All]
Unable to kill process pnkbstra.exe .
C:\WINDOWS\SYSTEM32\PnkBstrA.exe moved successfully.
[Win32 Services - All]
Service PnkBstrA stopped successfully.
Service PnkBstrA deleted successfully.
File C:\WINDOWS\SYSTEM32\PnkBstrA.exe not found.
Service PnkBstrB stopped successfully.
Service PnkBstrB deleted successfully.
C:\WINDOWS\SYSTEM32\PnkBstrB.exe moved successfully.
[Driver Services - All]
Service PnkBstrK stopped successfully.
Service PnkBstrK deleted successfully.
C:\WINDOWS\SYSTEM32\drivers\PnkBstrK.sys moved successfully.
[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SigmatelSysTrayApp deleted successfully.
[Registry - Additional Scans - All]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Gateway Extended Warranty deleted successfully.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager deleted successfully.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ShowWnd deleted successfully.
File not found.
C:\WINDOWS\ShowWnd.exe moved successfully.
[Files/Folders - Created Within 60 days]
C:\WINDOWS\ntdtcsetup.log moved successfully.
File C:\WINDOWS\SYSTEM32\PnkBstrA.exe not found!
File C:\WINDOWS\SYSTEM32\PnkBstrB.exe not found!
File C:\WINDOWS\SYSTEM32\drivers\PnkBstrK.sys not found!
[Empty Temp Folders]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 07/14/2007 00:22:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:01 AM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\Software\..\Telephony: DomainName = idolmind
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = idolmind
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 3523 bytes


----------



## jospeh- (Jul 10, 2007)

im not having any other troubles with the pc other then my network connection is missing


----------



## jospeh- (Jul 10, 2007)

ick i dunno how that happened sorry


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-*

*Zone Alarm* filrewall and *Antivirus* seems missing, please reinstall. That was not part of the fix.

In regard to the *Network Connections*, go to *Start*->*Run*, type *Services.msc* and click Ok. Scroll down to *Network Connections* and double click on it. Make sure the service is started and the the of startup is set to* Manual*. Click yourself Ok out of the properties dialog box and restart. Check your network connections.


----------



## jospeh- (Jul 10, 2007)

yes it is running but still missing. And yes i deleted Zone Alarm as i told you im a gamer and once all the connections slowed down i would remove it cannot be installed or running while im online gaming. i do have anti virus though including spybot S&D superantispyware i also have ad aware and the windows mrt i know it wasnt part of thie fix but this is originally the way the pc was before the attacks and the way i would like it.


----------



## jospeh- (Jul 10, 2007)

and i also removed Zone Alarm because of the rebooting problem which you asked me to test and it reboots normal without Zone Alarm installed the zone alarm client zlclient.exe would shut down right as my pc was rebooting and it would just hang from there.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jospeh-* 

In regard to the Network Connections, the next step will be to remove and reinstall your network adapters, but if you have a good connection, I wouldn't recommended.

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------

