Thanks for looking!
I've been hijacked!!!!! ...my IE opens to: "http://www.bestsecurityguide.com/"
-I've written what I know, and what I'ved tried-

-->HJT LOG BELOW!<--
HJT LOG BELOW PLEASE SCROLL DOWN TO SKIP
-please scroll down if you want to skip the explanation
Thank you in advance for your help-
Cookanderson

-->PROBLEM:
I have lost 30+ hrs trying to remove this myself,
but now need an expert!

I have, I think a malware-its taken over my IE-and I have no idea whatelse

1:
I have read all the intro forum info, but never participated in a forum
If I screw up some protocal, please forgive me-
I will correct the mistake if I can
I have read FAQ's-by 'Mike'-05.16.2004,16:58

2:
my IE home page has been taken over and opens to:
--WARNING--DO NOT GO TO LINK BELOW--
...my IE opens to: "http://www.bestsecurityguide.com/"

3:
I have scanned w/ AdA. and Spybot-
HOWEVER- both subscriptions are more than 20 days old.
for some reason, they will not download the latest changes-
I have tried to several times-
I have been using both programs for 2 years, and recently
uninstalled/reloaded the latest versions in an effort to get up to date.

-->ACTION TAKEN:
1.I followed the MajorGeeks removal info to STEP 6
2.then to Special Removal Procedures

I put all of those steps at the end of this email-or you can find it here:
"http://forums.majorgeeks.com/showthread.php?t=35407"

-->WHAT I'VE DONE -IN ORDER-SO FAR (MajorGeeks.com-removal):
1. Norton-1st
2. Uninstall Malware via Add/Remove Programs
3. empty their Norton Nprotect folder guarding the Recycle
4. Enable viewing of hidden files, system files and file extensions
5. CCleaner
6. Ad-Aware SE
7. Spybot - S&D + Immunize
8. Microsoft Windows Defender 1051 (Beta 2)
9. Microsoft Windows Malicious Software Removal Tool
10. hjt
11.CWShredder
12. Kill2me

NOTE-MY COMPUTER would not allow me to get online in SafeMode!so I had to do ONLINE WORK normal operation

got online:
13. ran-Bitdefender.com
14. ran Panda Active Scan
then next step was to look at:
"Special Removal procedures"
for particular "sticky threads"
was going to submit HJT file, but tried 1st:
EWIDo
then Trojan Hunter-atMalware suggestion

newest HJT log below

NOW I NEED HELP!!!! Please-I'm desperate!
I thought that I had either of the following...
about:Blank and HSA (aka Only the Best) Hijackers - Generic Solution
or
about:Blank and HSA Hijacker - Simplified Removal
once I started to look at the log and figure out what to remove,

I thought I'd better stop now as I DO NOT WANT TO ERASE-'FIX' THE WRONG THING.
I'm sorry I could not do more on my own-
but it just felt to risky as I'm just a brave but novice, newbie

HJT HIGHLY recommends this site--


HJT LOG BELOW PLEASE SCROLL DOWN TO SKIP

I also have the following logs:
Active Scan, BDscan, CCleaner...
not included-IN THIS THREAD,
if that might help you-I'll retrieve in later reply

sorry so long-hope this info helps

WHAT DO WE DO NEXT?
-cookanderson

--------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:59:52 AM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\HJT-HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp56A0.tmp
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Matthew\LOCALS~1\Temp\200572910344_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "c:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102742177216
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1442/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...413/mcfscan.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--------------------------------------------------------------------------------

Major Geeks instructions:
READ & RUN ME FIRST Before Asking for Support

--------------------------------------------------------------------------------

***IMPORTANT NOTE*** Please DO NOT post HJT logs before running this procedure and DO NOT post logs directly inline with your message. If you do not understand what this means, ask before posting.

I know it looks long, but much of this is explanatory text to help less experienced people.

Please do not cheat by skipping any steps. You are only hurting yourself if you do. The goal is to get your PC fixed. Completing the steps in this generic guide may or may not resolve all of your malware problems, but in all cases it gets your PC into a known state to help make it easier for us to fix your problems. Before you post a new thread requesting support, make sure you have completed all of these steps and tell us you did so! After completing them, if you still need help, please start a new thread. Do not send private messages to any of the helpers! These private messages will be deleted and ignored.


Before you start the below procedure, you may want to first check to see if your problem is covered in the Special Removal Procedures sticky thread. If it is, try that procedure first and come back here to the READ & RUN ME if necessary afterwards.

0: Preliminary House Cleaning

Work thru the below link and first uninstall any bad stuff that should not be installed on your PC. This may in some instances even resolve your problems.

Uninstall Malware via Add/Remove Programs

This second step of house cleaning may save a load of time later and can significantly reduce the size of logs being posted later.
Empty any quarantine folders for antivirus and antispyware applications. Make sure you do this. Logs could be huge otherwise.
If you are a Symantec/Norton user make sure you empty their Norton Nprotect folder guarding the Recycle Bin. See Emptying the Norton Protected Recycle Bin
Empty your Recycle Bin

1:Disable System Restore temporarily (only applies to WinXP & WinME) After Malware has been Removed

It appears that people are not reading step 1 properly! DO NOT DISABLE SYSTEM RESTORE YET!!!!! Only disable after malware problems have been resolved!

Note: We highlight this step here now so you do not miss it but DO NOT DISABLE System Restore yet. After your system has been cleaned, disable System Restore, reboot and then re-enable. We are telling you about this here in step 1, because otherwise you will not know it needs to be done afterwards because you will not look at the READ ME again after you are already clean.

If you have been infected with any trojans, spyware, etc, they could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files that may contain viruses inside them. Please follow instructions to disable system restore but only after you have already cleaned your system of the malware. Keeping even infected restore points around while we are fixing things may prove useful if something goes wrong during the process.

Disable And Enable System Restore

The reason for doing this after your system has been completely cleaned of problems, is so we can remove possible infected restore points. When you disable system restore, it removes restore points! Then you should reboot and then re-enable system restore.


2: Enable viewing of hidden files, system files and file extensions

Some programs hide themselves by making their files invisible in normal Windows settings. Run the steps in the below link (has steps for ALL Win OS's) to make them easier to find.
How to view hidden, system files & folders!


Not doing this could allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible.


3: Do not use Multiple Antivirus Applications

If you have multiple antivirus applications installed on your PC, please choose the one you prefer and uninstall all others. Do this now before continuing because you will only be asked to do it later if not done now. This does not mean online scanners. It is only referring to full antivirus applications like McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky, etc.


4: Downloading Tools

Download the following tools and save in your favorite download folder or create one, for example C:\Spyware Tools or C:\Downloads. ( It is not a good idea to download them to any folder within C:\Documents and Settings.) And then install, update, and configure as indicated below. Do not run the scans until later when indicated.

CCleaner.............Install only, then exit. We will run tools later. MAKE SURE you uncheck the option to install the Yahoo Toolbar when installing CCleaner. We do not want ot install any unnecessary baggage. It will install by default unless unchecked.

Also it is recommeded to login to any other User Accounts on the PC and run CCleaner on each on. This can reduce scan time and logs from the later scanning you will do below.

Ad-Aware SE…..Install, click Check for Updates now and get any updates, then exit.

SpyBot - Search & Destroy

PLEASE leave all settings at default!!!! Install, do the search for updates now and get any updates, then fix the below problem with Spybot default products. If you get an error message about "bad checksum" when trying to update, just choose a different server location. Also look for the Immunize feature in Spybot and use it. Do not use the Teatimer function. It can be a resource hog and also makes removal of certain problems more difficult. Make sure you leave the SDhelper ( IE bad download blocker) checked to install (this is the default).
Fixing SpyBot's Ignore Products Bug: Please run SpyBot and get into the Advanced mode by selecting Mode and then Advanced mode. Then select Settings and the in the left column select Ignore Products. In the right window pane make sure the All products tab is selected. Then in that window, right click your mouse and choose "Deselect all". Now exit Spybot. We will run a scan later.
Microsoft Windows Defender 1051 (Beta 2) - Install it and update it (this can only be used with Windows 2000 SP4/XP SP2 /2003 SP1)
Microsoft Windows Malicious Software Removal Tool (this can only be used with Windows 2000/XP/2003)

CounterSpy

Only install and run CounterSpy if you cannot run Microsoft Windows Defender which is only for Windows 2000 SP4/XP SP2 /2003 SP1. So all you Win98Se and Win Me users should use CounterSpy. Win95 and Win98 users are out of luck. Also, if you do not have the correct SP levels for Win 2K/XP/2003, you should use CounterSpy. Time for you to get updated to a newer OS.
Hijack This! – Please do not post HijackThis logs until steps 1 thru 6 are followed and then make sure you follow step 7 to post logs properly as attachments. See: HOW TO: Attach Items To Your Post

Optional tools (not required for all cases):

CWShredder ......No installation required! Just unzip it to a folder.

Kill2me..............No installation required! Just unzip it to a folder.


Your system is now ready to be properly scanned for spyware, trojans and viruses. So let’s start the cleaning phase. Do not skip any of these procedures covered in steps 5 and 6 below!


5: Cleaning Malware

Important Note Before continuing with the below scans:
The best method to remove malware is to do it after booting in Safe Mode with no connection to the internet possible and no browsers running. Booting in safe mode is important because best results are achieved since safe mode disables most drivers and running programs. If you cannot boot in safe mode due to the malware problem then run the scans in normal boot mode but make sure you tell us later in any messages you post.

Thus you will need to print or save these instructons locally in a text file so you can refer to them while offline. Do this before continuing!

Reboot into safe mode: Starting your computer in Safe mode
Physically unplug your cable to the internet (even if you have dial-up, unplug modem)
Shut down ALL unrequired applications including browsers
Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
Microsoft Windows Malicious Software Removal Tool and clean all that it finds.
Run Ad-Aware SE and select Perform full system scan box and allow it to fix all that it finds
Run Spybot Search & Destroy and allow it to fix all that it finds. Make sure you use the Immunize feature and use the SDHelper function but do not use Teatimer.
Run Microsoft Windows Defender and allow it to fix all that it finds
All of you Win9x & ME users and Win 2K/XP/2003 users with old SP levels should be running CounterSpy at this point since you cannot run Microsoft Windows Defender. Also attach the log from CounterSpy later if you still have problems. To get the log after scanning. Click View -> Spyware Scan -> View Spyware Scan History. Next click on the scan you want to view, then click view full details of scan. Right-click anywhere in the window that just opened, click on Select All, right-click again select Copy. Now open notepad and right-click anywhere in notepad and select Paste. Now Save As CounterSpy.txt and attach to your next post. See: HOW TO: Attach Items To Your Post
Optional tools to scan with:

· CWShredder – run if you seem to have any CWS type infections. Make sure you select Fix
· Kill2Me – run if you have indications of a Look 2 Me parasite


6: Online Virus And Trojan Scanning

Please run the below two online scanning tools and make sure you save and attach the logs later to any request for help that you post. From step 5 you should already be in safe mode but you will need to reconnect your cable now and possibly reboot and choose Safe Mode with Networking Support. If you cannot connect in safe mode for any reason (like dial-up users), run the online scanners in normal boot mode.You will need to use Internet Explorer to run these online scans. Also MAKE SURE YOU HAVE THE LATEST SUN JAVA Version installed (currently 5.0 Update 6) This may help prevent some problems in trying to get these online scanners to run. Get Sun Java here: http://java.com/en/

*** MAKE SURE YOU RUN BITDEFENDER BEFORE PANDA ACTIVE SCAN ***

Bitdefender agree to the license and then select Scan. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an ATTACHMENT. See: HOW TO: Attach Items To Your Post
Panda ActiveScan It will only fix certain viruses and trojans. Most items found will not be fixed. When it finishes the scan click on See Report . Then in the next window click Save Report. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message when you begin a thread with a request for help. If you have any problems trying to get a PandaActiveScan log, see the following link with more detail and follow it step by step: Using PandaActiveScan

After running all the tools and fixing what they find, reboot in normal mode.

You have a few options now if you still have problems at this point:

******------******------******------******------******------******------
NOTE THIS IS WHERE I STOPPED..I
STARTED HJT-RAN A LOG AND posted to this forum
-cookanderson
******------******------******------******------******------******------
See if your problem is covered in one the the threads mentioned in another sticky thread titled Special Removal Procedures For example: about:blank or HSA hijacker problems, SpySheriff, SpyAxe, Smitfraud, Virtumonde aka WinFixer, etc.
Proceed on your own - if want to continue to work on your own, look at the Alternative Scans (section 8) below.
Request help - you should post a message requesting help, but make sure you indicate in your post that you've already followed the instructions on this page so we don't waste your time and our time by posting a link to it in your thread. Also, it would be helpful to indicate what kind of problems the above steps have found and fixed (and failed to fix). Also you must attach the logs from BitDefender and PandaActiveScan. You can also attach a log from HijackThis, but you must follow the directions in step 7 below.
7: HijackThis log posting

Since so many new problems end in requiring a Hijack This! log anyway, it will be okay to post a HijackThis log if you are still having problems. But only if you have completed all the above steps and you must attach your log to your message. See: HOW TO: Attach Items To Your PostAlso you must install HijackThis properly per the instructions in the below link. Depending on which OS you have, you may need an application like WinZip to extract hijackthis.exe from the downloaded ZIP file.

***** MAKE SURE YOU CLICK THE BELOW LINK AND FOLLOW DIRECTIONS! TOO MANY PEOPLE ARE SKIPPING IT! *****

Downloading, Installing, and Running HijackThis


8: Alternative Scans - If still having problems, see: Alternative Scans


9: Keeping your computer safe and secure:

See the following thread and complete the steps: How to Protect yourself from malware!